Re: proper syntax for label on rdr rule
On Thu, May 22, 2008 at 03:42:45PM -0400, Chris Smith wrote: Are there some limitations to what rules can apply labels? I'm trying to add a label to a rdr rule but keep getting a syntax error. when i have this question, i search from the bottom of the pf.conf manpage up (the grammar section) for whatever keyword i want. doing so for label shows the following can take labels: - antispoof - filteropt so then i check for 'filteropt' and see that it is valid in 'filteropt-list', which is only valid in: - pf-rule so nope; no label on rdr :( -- jared
proper syntax for label on rdr rule
Are there some limitations to what rules can apply labels? I'm trying to add a label to a rdr rule but keep getting a syntax error. Thanks. -- Chris
Re: Passing RDR outside of RDR rule
On Mon, Mar 21, 2005 at 10:11:31PM -0500, Jim Fron wrote: Any thoughts as to what I'm doing wrong? It's probably some simple mistake in manipulating the ruleset. Make sure you have both filter and translation rules loaded successfully, i.e. run # pfctl -sn and check whether rdr rule is correctly loaded like you intend. One somewhat obscure mistake is to run pfctl -R -f /etc/pf.conf, misunderstanding the effect of -R, and not getting one's translation rules replaced. Daniel
Re: Passing RDR outside of RDR rule
It's probably some simple mistake in manipulating the ruleset. Make
sure
you have both filter and translation rules loaded successfully, i.e.
run
# pfctl -sn
No errors...
and check whether rdr rule is correctly loaded like you intend.
Check.
One somewhat obscure mistake is to run pfctl -R -f /etc/pf.conf,
misunderstanding the effect of -R, and not getting one's translation
rules replaced.
I presume `pfctl -F all -f pf.conf` should suffice?
Okay, time to post the entire ruleset. This is my test ruleset, which
fails. If I change the one rdr on rule to rdr PASS, it works.
lan = le0
wlan = le2
INT = 192.168.1.0/24
ext = le1
table NORTE { 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 10.0.0.0/8, \
172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16,
255.255.255.255/32 \
240.0.0.0/5, 248.0.0.0/5}
table BMCAST const { 224.0.0.0/4, 192.168.1.0, 192.168.1.255 }
table BMCAST_ALLOW const { 224.0.0.251 }
bmcast_prot = { udp }
bmcast_port = { 5353 }
ROUTER = 192.168.1.1
ext_svc = { http }
fwd_lan_port = { 999, 1001 }
ext_scan_ports = { 21, 22, 23, 25, 53, 79, 110, 111, 137, 138, 139,
143, 512 }
fwd_lan_dest_ip = 192.168.1.9
fwd_lan_dest_port =
icmp_allow = { echoreq, echorep, timex, unreach }
br_wlan_tcp_svc_port = { 548 }
br_wlan_udp_svc_port = { 3689 }
wlan_svc_prot = { udp }
wlan_svc_port = { domain }
lan_svc = { ssh, domain }
ext_prio_ports = { ssh, domain }
set optimization normal
set block-policy return
scrub in all no-df fragment reassemble
scrub out on $ext all no-df fragment reassemble random-id
altq on $ext priq bandwidth 500Kb queue \
{ q_ext_high, q_ext_med, q_ext_bulk }
queue q_ext_high priority 5
queue q_ext_med priority 4
queue q_ext_bulk priority 1 priq(default)
nat on $ext from $INT to any - $ext
rdr on $ext inet proto tcp \
to port $fwd_lan_port - $fwd_lan_dest_ip port
$fwd_lan_dest_port
block log-all all
pass quick on lo0
pass in log-all quick on $lan from $INT to any keep state
pass in log-all quick on $wlan inet proto $bmcast_prot from $INT \
to BMCAST_ALLOW port $bmcast_port
pass in log-all quick on $wlan inet proto udp from $INT to $INT \
port $br_wlan_udp_svc_port keep state
pass in log-all quick on $wlan inet proto tcp from $INT to $INT \
port $br_wlan_tcp_svc_port flags S/SA keep state
pass in log-all quick on $wlan inet proto $wlan_svc_prot from $INT to
$ROUTER \
port $wlan_svc_port keep state
pass in log-all quick on $wlan inet proto icmp from $INT to $INT \
icmp-type $icmp_allow keep state
block in log-all quick on $wlan from any to BMCAST
block in log-all quick on $wlan from any to NORTE
block in log-all quick on $wlan from any to $ext
pass in log-all quick on $wlan inet proto icmp from $INT to any \
icmp-type $icmp_allow keep state
block in log-all quick on $wlan inet proto icmp
pass in log-all quick on $wlan from $INT to any keep state
block drop in log-all quick on $ext from NORTE to any
block drop in log-all quick on $ext from BMCAST to any
pass in log-all quick on $ext inet proto icmp from any to $ext \
icmp-type $icmp_allow keep state
#
#
# IT DOESN'T MATTER WHICH OF THE FOLLOWING TWO RULES IS UNCOMMENTED,
# IT STILL FAILS
#
pass in log-all quick on $ext inet proto tcp from any \
to port $fwd_lan_port keep state
#
#pass in log-all quick on $ext inet proto tcp from any to \
# $fwd_lan_dest_ip port $fwd_lan_dest_port keep state
#
#
pass in log-all quick on $ext inet proto tcp from any to $ext \
port $ext_svc flags S/SA keep state
block drop in log-all quick on $ext inet proto { tcp, udp } \
from any to any port $ext_scan_ports
block drop in log-all quick on $ext
pass out log-all quick on $lan from any to any keep state
pass out log-all quick on $wlan from any to any keep state
block out log-all quick on $ext from any to NORTE
pass out log-all quick on $ext inet proto tcp from any to any \
port $ext_prio_ports flags S/SA \
queue(q_ext_med, q_ext_high) keep state
pass out log-all quick on $ext inet proto tcp from any to any \
flags S/SA queue(q_ext_bulk, q_ext_high) keep state
pass out log-all quick on $ext inet proto { udp, icmp } \
from any to any queue q_ext_med keep state
Re: Passing RDR outside of RDR rule
On Thu, Mar 24, 2005 at 08:36:31PM -0500, Jim Fron wrote: # pfctl -sn No errors... Can you please post the verbatim output of pfctl -vvsn? Daniel
Re: Passing RDR outside of RDR rule
On Mar 24, 2005, at 8:55 PM, Daniel Hartmeier wrote: Can you please post the verbatim output of pfctl -vvsn? Got it. Unlike /bin/sh, which does NOT concatenate a comment line ending in \ with the following line, pf.conf considers # foo \ bar to be a multi-line comment. Hence, in testing: #rdr pass on $ext inet proto tcp \ rdr on $ext inet proto tcp \ to port $fwd_lan_port - $fwd_lan_dest_ip port $fwd_lan_dest_port No rdr rules were loaded, nor were any errors thrown. (Having one of those duh moments...)
Re: Passing RDR outside of RDR rule
On Mar 24, 2005, at 8:55 PM, Daniel Hartmeier wrote: On Thu, Mar 24, 2005 at 08:36:31PM -0500, Jim Fron wrote: # pfctl -sn No errors... Can you please post the verbatim output of pfctl -vvsn? Interesting: With rules as posted: @0 nat on le1 inet from 192.168.1.0/24 to any - 69.241.239.150 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] Strange. No rdr's. But no errors while _loading_ the rdr rules, either. Hmmm. Unfortunately, I accidentally blew away the original while doing a line-by-line modification. Whatever the problem was, I either had bad whitespace or comments, as all I have in my terminal's scrollback buffer is a diff showing only comments and lines that differ by indentation. Don't know. All I can say is, it's working now. Sorry for the bother.
Passing RDR outside of RDR rule
Rule question: http://www.openbsd.org/faq/pf/rdr.html NOTE: Translated packets must still pass through the filter engine and will be blocked or passed based on the filter rules that have been defined. The only exception to this rule is when the pass keyword is used within the rdr rule. In this case, the redirected packets will pass statefully right through the filtering engine: the filter rules won't be evaluated against these packets. To this point, this is what I've been doing: using pass on my rdr rules. lan = le0 wlan = le2 INT = 192.168.1.0/24 ext = le1 fwd_lan_port = 999 fwd_lan_dest_ip = 192.168.1.9 fwd_lan_dest_port = nat on $ext from $INT to any - $ext rdr pass on $ext inet proto tcp \ to port $fwd_lan_port - $fwd_lan_dest_ip port $fwd_lan_dest_port ...However, if you want to enable more specific filtering options such as synproxy, modulate state, etc. you'll still have to use a dedicate pass rule as these options don't fit into redirection rules. Which is what I now want to do... Also be aware that since translation occurs before filtering, the filter engine will see the translated packet as it looks after it's had its destination IP address and/or destination port changed to match the redirection address/port specified in the rdr rule. But I'm having trouble writing such a rule. With my pass rdr rule, all traffic being redirected matches the following rule: pass out log-all quick on $lan from any to any keep state as it passes in to the internal network. Everything works just fine. I can see the traffic on the internal interface, and I actually connect to the internal machine. But I want more options on the rule that allows traffic to pass, so I remove the pass on the rdr rule: rdr on $ext inet proto tcp \ to port $fwd_lan_port - $fwd_lan_dest_ip port $fwd_lan_dest_port And attempt to write a simple rule that will do exactly the same thing. Understanding that the traffic will be translated BEFORE any rules are applied, I figure this inbound traffic will change from: dest IP = IP-of-OBSD box dest-port = $fwd_lan_port to: dest IP = $fwd_lan_dest_ip dest-port = $fwd_lan_dest_port So I write the rule: pass in log-all quick on $ext inet proto tcp from any to \ $fwd_lan_dest_ip port $fwd_lan_dest_port Which shows up in pfctl -gs rules as: @26 pass in log-all quick on le1 inet proto tcp from any to 192.168.1.9 port = And I attempt the connection. Unfortunately, the inbound traffic misses rule @26 above, and makes it all the way to: @54 block drop in log-all quick on le1 all Which blocks it in on le1, showing the external interface's IP, and rule 54/0(match): block in on le1: [remote].63309 [ext_if_ip].999: S .. Okay, so the packet is actually NOT being modified before it hits the PF rules. Scrap the rule I wrote, and change it to: pass in log-all quick on $ext inet proto tcp from any \ to port $fwd_lan_port keep state which resolves to: @26 pass in log-all quick on le1 inet proto tcp from any to any port = 999 keep state Watching pflog0: rule 26/0(match): pass in on le1: [remote].63312 [ext_if_ip].999: S 2386147166: 2386147166(0) win 65535 mss 1452,nop,wscale 0,[|tcp] (ttl 50, id 39864, bad cksum 3217! differs by 4000) rule 26/0(match): pass out on le1: [ext_if_ip].999 [remote].63312: R [tcp sum ok] 0:0(0) ack 2386147167 win 0 (ttl 64, id 32973) I get a connection refused on the machine on the outside when I attempt to connect, and no traffic ever shows up on the internal interface. No block rules are hit. The connection is simply dropped. Any thoughts as to what I'm doing wrong? Thanks, JMF
Re: RDR rule for ftp-proxy
Steve,
Sorry about giving you an answer which was a bit off.
Of course Daniel Hartmeier is right with regard to the negation.
I also just noticed that your pflog0 dump actually says pass instead of
block.
Must have been the effects of a slight flu I'm suffering from.
Good that you have it working now.
Regards,
Daniel
Original message from Daniel Polak at 9-11-2004 0:04
Original message from Maat, Steve at 8-11-2004 23:21
Some internal ftp clients do not appear to be working through a new
OpenBSD (3.6) pf firewall configured with ftp-proxy.
I am trying prevent several clients from being redirected by the
ftp-proxy since they can't seem to handle the way ftp-proxy takes over
the ftp-session. I am not sure if they cannot handle the change in the
tcp/ip address or if it's a port issue (XP with SP2 firewall = BAD, XP
without SP2 firewall = good)
Anyway, is this a valid rule for the ftp-proxy rdr rule:
rdr on em0 proto tcp \ from { !152.12.29.195 , 152.12.0.0/16 } \
to any port 21 - 127.0.0.1 port 8021
I've made the change to pf.conf, flushed rules, state nat and reloaded
pf.conf, but when monitoring pflog0 during the ftp session I still see
the following:
Nov 08 17:03:21.009015 rule 1008/0(match): pass in on em0:
152.12.29.195.2514 127.0.0.1.8021: S 1646188028:1646188028(0) win
64512 mss 1460,nop,nop,sackOK
Steve,
A rdr rule is not the same as a pass rule.
You probably also need a rule like:
pass in quick on em0 proto tcp from { !152.12.29.195 , 152.12.0.0/16
} to 127.0.0.1 port 8021
Check what rule 1008 is with pfctl -v -v -s rules | grep @ | more.
That should help you find out what rule is blocking the FTP transfer.
Daniel
RE: RDR rule for ftp-proxy
Clears things up. Moved list to a table and all works as expected.
Thanks
SM
-Original Message-
From: Daniel Hartmeier [mailto:[EMAIL PROTECTED]
Sent: Monday, November 08, 2004 8:43 PM
To: Maat, Steve
Cc: [EMAIL PROTECTED]
Subject: Re: RDR rule for ftp-proxy
On Mon, Nov 08, 2004 at 05:21:46PM -0500, Maat, Steve wrote:
rdr on em0 proto tcp \
from { !152.12.29.195 , 152.12.0.0/16 } \
to any port 21 - 127.0.0.1 port 8021
This is a frequently asked question, which the FAQ didn't answer so far,
the following paragraph was just added:
Beware of constructs like the following, dubbed negated lists,
which
are a common mistake:
pass in on fxp0 from { 10.0.0.0/8, !10.1.2.3 }
While the intended meaning is usually to match any address within
10.0.0.0/8, except for 10.1.2.3, the rule expands to:
pass in on fxp0 from 10.0.0.0/8
pass in on fxp0 from !10.1.2.3
which matches any possible address. Instead, a table should be used.
Let me know if this doesn't clear things up completely, as in that case
the FAQ needs adjusting, too ;)
Daniel
RDR rule for ftp-proxy
Some internal ftp clients do not appear to be working through a new
OpenBSD (3.6) pf firewall configured with ftp-proxy.
I am trying prevent several clients from being redirected by the
ftp-proxy since they can't seem to handle the way ftp-proxy takes over
the ftp-session. I am not sure if they cannot handle the change in the
tcp/ip address or if it's a port issue (XP with SP2 firewall = BAD, XP
without SP2 firewall = good)
Anyway, is this a valid rule for the ftp-proxy rdr rule:
rdr on em0 proto tcp \
from { !152.12.29.195 , 152.12.0.0/16 } \
to any port 21 - 127.0.0.1 port 8021
I've made the change to pf.conf, flushed rules, state nat and reloaded
pf.conf, but when monitoring pflog0 during the ftp session I still see
the following:
Nov 08 17:03:21.009015 rule 1008/0(match): pass in on em0:
152.12.29.195.2514 127.0.0.1.8021: S 1646188028:1646188028(0) win
64512 mss 1460,nop,nop,sackOK
Thanks...
SM
Re: RDR rule for ftp-proxy
Original message from Maat, Steve at 8-11-2004 23:21
Some internal ftp clients do not appear to be working through a new
OpenBSD (3.6) pf firewall configured with ftp-proxy.
I am trying prevent several clients from being redirected by the
ftp-proxy since they can't seem to handle the way ftp-proxy takes over
the ftp-session. I am not sure if they cannot handle the change in the
tcp/ip address or if it's a port issue (XP with SP2 firewall = BAD, XP
without SP2 firewall = good)
Anyway, is this a valid rule for the ftp-proxy rdr rule:
rdr on em0 proto tcp \
from { !152.12.29.195 , 152.12.0.0/16 } \
to any port 21 - 127.0.0.1 port 8021
I've made the change to pf.conf, flushed rules, state nat and reloaded
pf.conf, but when monitoring pflog0 during the ftp session I still see
the following:
Nov 08 17:03:21.009015 rule 1008/0(match): pass in on em0:
152.12.29.195.2514 127.0.0.1.8021: S 1646188028:1646188028(0) win
64512 mss 1460,nop,nop,sackOK
Steve,
A rdr rule is not the same as a pass rule.
You probably also need a rule like:
pass in quick on em0 proto tcp from { !152.12.29.195 , 152.12.0.0/16 }
to 127.0.0.1 port 8021
Check what rule 1008 is with pfctl -v -v -s rules | grep @ | more. That
should help you find out what rule is blocking the FTP transfer.
Daniel
Re: RDR rule for ftp-proxy
On Mon, Nov 08, 2004 at 05:21:46PM -0500, Maat, Steve wrote:
rdr on em0 proto tcp \
from { !152.12.29.195 , 152.12.0.0/16 } \
to any port 21 - 127.0.0.1 port 8021
This is a frequently asked question, which the FAQ didn't answer so far,
the following paragraph was just added:
Beware of constructs like the following, dubbed negated lists, which
are a common mistake:
pass in on fxp0 from { 10.0.0.0/8, !10.1.2.3 }
While the intended meaning is usually to match any address within
10.0.0.0/8, except for 10.1.2.3, the rule expands to:
pass in on fxp0 from 10.0.0.0/8
pass in on fxp0 from !10.1.2.3
which matches any possible address. Instead, a table should be used.
Let me know if this doesn't clear things up completely, as in that case
the FAQ needs adjusting, too ;)
Daniel
Re: rdr rule
ahhh *lightbulb*
Thanks Daniel!
--Bryan
On Fri, 10 Sep 2004 01:27:13 +0200, Daniel Hartmeier
[EMAIL PROTECTED] wrote:
On Thu, Sep 09, 2004 at 03:21:25PM -0700, Bryan Irvine wrote:
anyone know why this rule doesn't work?
Because of the way {} lists are simply expanded by pfctl into multiple
rules. If it were accepted,
rdr from any to ! { a, b } - c
would become (be equivalent to)
rdr from any to ! a - c
rdr from any to ! b - c
which would match any destination address, since any address is either
different from a or different from b (assuming a != b), becoming
equivalent to
rdr from any to any - c
Hence, the construct is useless and refused by pfctl.
Use a table
table exceptions { a, b }
rdr from any to ! exceptions - c
or a 'no rdr' construct
no rdr from any to a
no rdr from any to b
rdr from any to any - c
Daniel
rdr rule
anyone know why this rule doesn't work?
I've read and re-read the pf users guide but this specific example
isn't covered.
ftpservers = { ftp.kingcountyjournal.com intranet,kingcountyjournal.com }
rdr on $LANS proto tcp from any to ! $ftpservers port ftp -
$localhost port ftp-proxy
--Bryan
Re: rdr rule
On Thu, 2004-09-09 at 18:21, Bryan Irvine wrote:
anyone know why this rule doesn't work?
I've read and re-read the pf users guide but this specific example
isn't covered.
ftpservers = { ftp.kingcountyjournal.com intranet,kingcountyjournal.com }
^
'cause of the comma? |
rdr on $LANS proto tcp from any to ! $ftpservers port ftp -
$localhost port ftp-proxy
--Bryan
-j
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
If God had wanted us to be concerned for the plight of the toads, he
would have made them cute and furry. -- Dave Barry
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
RE: help with rdr rule
THANK YOU SO MUCH
My fault was in your B). I'm actually migrating my fireall from MS ISA server to
OpenBSD, and the iis' gw pointed to the old isa server...
Thank you so much to all that has answered my question!
bye,
Gabriele
-Original Message-
From: Juan Pablo Feria [mailto:[EMAIL PROTECTED]
Sent: lunedì 3 maggio 2004 20.03
To: Gabriele Oleotti; [EMAIL PROTECTED]
Subject: Re: help with rdr rule
Gabriele:
A) Did you test the redirection on simplier rules like
rdr proto tcp from any to $wwwserver_ext port 80 - $wwwserver_int port
80 if works, then test your rules
B) Re-check if $wwwserver_int has your BSD Firewall as his Default GW
C) Debug with tcpdump the packets run a tcpdump port 80 in both fw
interfaces and find where is the problem
D) If you can, move to Apache on BSD ;)
Hope it helps...
Good Luck
On Mon, 2004-05-03 at 07:48, Gabriele Oleotti wrote:
Hello everybody,
I have the following problems (it's about 5 days I'm working on it) and I'm not able
to solve. I have a web server on a Win2k + IIS on my internal network that is
working fine, and I want it to be accessible from the internet through my OpenBSD
box (which has a public IP.)
The problem is that I'm not able to access it. Accessing from the openbsd box to the
internal server is ok (lynx http://my.internal.web.srv ) but when I try connecting
from the outside world, it results in a 'Page cannot be displayed' from IE). Does
anybody know why? Or can point me to the right direction?
Thank you,
Gabriele
Here is my pf.conf:
int_if = fxp0
ext_if = fxp1
ext_addr = nnn.nnn.nnn.nnn
int_addr = my.internal.net
icmp_types = echoreq
tcp_services = { 23 } # { 23, 80 }
RDR = rdr pass on $ext_if proto tcp from any to $ext_addr port
RDR_UDP = rdr pass on $ext_if proto udp from any to $ext_addr port
# SSH
openssh_port = 22
openssh_int_addr = my.internal.srv
# Terminal Server
ts_port = 3389
ts_int_addr = my.terminal.srv
# WEB
web_port = 80
web_ssl_port = 443
web_int_addr = my.web.srv
# VPN
# -- PPTP
gre = 47 # GRE = IP protocol 47
pptp_port = 1723
# -- L2TP/IPSec with NAT-T
esp = 50# IPSEC-ESP = IP protocol 50
ah = 51 # IPSEC-AH = IP protocol 51
l2tp_port = 1701
isakmp_port = 500
natt_port = 4500
# -- VPN Server
vpn_int_addr = my.vpn.srv
priv_nets = { 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }
# Set default response for block filter rules
set block-policy return
# Turn on log on the external interface
set loginterface $ext_if
# Scrub all incoming traffic
scrub in all
# NAT all internal network
nat on $ext_if from $int_if:network to any - $ext_if
# Use ftp-proxy for internal FTP clients to connect to Internet FTP servers
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
# Redirect OpenSSH traffic to internal server
$RDR $openssh_port - $openssh_int_addr port $openssh_port
# Redirect Terminal Server traffic to internal server
$RDR $ts_port - $ts_int_addr port $ts_port
# Redirect Web traffic
$RDR $web_port - $web_int_addr port $web_port
$RDR $web_ssl_port - $web_int_addr port $web_ssl_port
# Redirect PPTP traffic to internal server
$RDR $pptp_port - $vpn_int_addr port $pptp_port
rdr pass on $ext_if proto $gre from any to $ext_addr - $vpn_int_addr
# Redirect L2TP traffic to internal server
#$RDR_UDP $l2tp_port - $vpn_int_addr port $l2tp_port
$RDR_UDP $isakmp_port - $vpn_int_addr port $isakmp_port
$RDR_UDP $natt_port - $vpn_int_addr port $natt_port
#rdr pass on $ext_if proto $esp from any to $ext_addr - $vpn_int_addr
#rdr pass on $ext_if proto $ah from any to $ext_addr - $vpn_int_addr
# == DEFAULT DENY
block all
# pass all traffic on the loopback interface
pass quick on lo0 all
# block all traffic coming from/to private networks on the external interface
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# open port for incoming allowed TCP traffic on the external interface
pass in on $ext_if inet proto tcp from any to \
$ext_if port $tcp_services flags S/SA keep state
# open allowed ICMP traffic
pass in inet proto icmp all icmp-type $icmp_types keep state
# permit all traffic trhough the internal interface
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
# permit all outgoing traffic to the Internet
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
# permit incoming connections to ftp-proxy
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
--
G [EMAIL PROTECTED]
I -
T Juan Pablo Feria Gomez. h
/Network Administrator/Transportes Pitic S.A. de
help with rdr rule
Hello everybody,
I have the following problems (it's about 5 days I'm working on it) and I'm not able
to solve. I have a web server on a Win2k + IIS on my internal network that is working
fine, and I want it to be accessible from the internet through my OpenBSD box (which
has a public IP.)
The problem is that I'm not able to access it. Accessing from the openbsd box to the
internal server is ok (lynx http://my.internal.web.srv ) but when I try connecting
from the outside world, it results in a 'Page cannot be displayed' from IE). Does
anybody know why? Or can point me to the right direction?
Thank you,
Gabriele
Here is my pf.conf:
int_if = fxp0
ext_if = fxp1
ext_addr = nnn.nnn.nnn.nnn
int_addr = my.internal.net
icmp_types = echoreq
tcp_services = { 23 } # { 23, 80 }
RDR = rdr pass on $ext_if proto tcp from any to $ext_addr port
RDR_UDP = rdr pass on $ext_if proto udp from any to $ext_addr port
# SSH
openssh_port = 22
openssh_int_addr = my.internal.srv
# Terminal Server
ts_port = 3389
ts_int_addr = my.terminal.srv
# WEB
web_port = 80
web_ssl_port = 443
web_int_addr = my.web.srv
# VPN
# -- PPTP
gre = 47 # GRE = IP protocol 47
pptp_port = 1723
# -- L2TP/IPSec with NAT-T
esp = 50# IPSEC-ESP = IP protocol 50
ah = 51 # IPSEC-AH = IP protocol 51
l2tp_port = 1701
isakmp_port = 500
natt_port = 4500
# -- VPN Server
vpn_int_addr = my.vpn.srv
priv_nets = { 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }
# Set default response for block filter rules
set block-policy return
# Turn on log on the external interface
set loginterface $ext_if
# Scrub all incoming traffic
scrub in all
# NAT all internal network
nat on $ext_if from $int_if:network to any - $ext_if
# Use ftp-proxy for internal FTP clients to connect to Internet FTP servers
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
# Redirect OpenSSH traffic to internal server
$RDR $openssh_port - $openssh_int_addr port $openssh_port
# Redirect Terminal Server traffic to internal server
$RDR $ts_port - $ts_int_addr port $ts_port
# Redirect Web traffic
$RDR $web_port - $web_int_addr port $web_port
$RDR $web_ssl_port - $web_int_addr port $web_ssl_port
# Redirect PPTP traffic to internal server
$RDR $pptp_port - $vpn_int_addr port $pptp_port
rdr pass on $ext_if proto $gre from any to $ext_addr - $vpn_int_addr
# Redirect L2TP traffic to internal server
#$RDR_UDP $l2tp_port - $vpn_int_addr port $l2tp_port
$RDR_UDP $isakmp_port - $vpn_int_addr port $isakmp_port
$RDR_UDP $natt_port - $vpn_int_addr port $natt_port
#rdr pass on $ext_if proto $esp from any to $ext_addr - $vpn_int_addr
#rdr pass on $ext_if proto $ah from any to $ext_addr - $vpn_int_addr
# == DEFAULT DENY
block all
# pass all traffic on the loopback interface
pass quick on lo0 all
# block all traffic coming from/to private networks on the external interface
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# open port for incoming allowed TCP traffic on the external interface
pass in on $ext_if inet proto tcp from any to \
$ext_if port $tcp_services flags S/SA keep state
# open allowed ICMP traffic
pass in inet proto icmp all icmp-type $icmp_types keep state
# permit all traffic trhough the internal interface
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
# permit all outgoing traffic to the Internet
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
# permit incoming connections to ftp-proxy
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
Re: help with rdr rule
Gabriele:
A) Did you test the redirection on simplier rules like
rdr proto tcp from any to $wwwserver_ext port 80 - $wwwserver_int port
80 if works, then test your rules
B) Re-check if $wwwserver_int has your BSD Firewall as his Default GW
C) Debug with tcpdump the packets run a tcpdump port 80 in both fw
interfaces and find where is the problem
D) If you can, move to Apache on BSD ;)
Hope it helps...
Good Luck
On Mon, 2004-05-03 at 07:48, Gabriele Oleotti wrote:
Hello everybody,
I have the following problems (it's about 5 days I'm working on it) and I'm not able
to solve. I have a web server on a Win2k + IIS on my internal network that is
working fine, and I want it to be accessible from the internet through my OpenBSD
box (which has a public IP.)
The problem is that I'm not able to access it. Accessing from the openbsd box to the
internal server is ok (lynx http://my.internal.web.srv ) but when I try connecting
from the outside world, it results in a 'Page cannot be displayed' from IE). Does
anybody know why? Or can point me to the right direction?
Thank you,
Gabriele
Here is my pf.conf:
int_if = fxp0
ext_if = fxp1
ext_addr = nnn.nnn.nnn.nnn
int_addr = my.internal.net
icmp_types = echoreq
tcp_services = { 23 } # { 23, 80 }
RDR = rdr pass on $ext_if proto tcp from any to $ext_addr port
RDR_UDP = rdr pass on $ext_if proto udp from any to $ext_addr port
# SSH
openssh_port = 22
openssh_int_addr = my.internal.srv
# Terminal Server
ts_port = 3389
ts_int_addr = my.terminal.srv
# WEB
web_port = 80
web_ssl_port = 443
web_int_addr = my.web.srv
# VPN
# -- PPTP
gre = 47 # GRE = IP protocol 47
pptp_port = 1723
# -- L2TP/IPSec with NAT-T
esp = 50# IPSEC-ESP = IP protocol 50
ah = 51 # IPSEC-AH = IP protocol 51
l2tp_port = 1701
isakmp_port = 500
natt_port = 4500
# -- VPN Server
vpn_int_addr = my.vpn.srv
priv_nets = { 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }
# Set default response for block filter rules
set block-policy return
# Turn on log on the external interface
set loginterface $ext_if
# Scrub all incoming traffic
scrub in all
# NAT all internal network
nat on $ext_if from $int_if:network to any - $ext_if
# Use ftp-proxy for internal FTP clients to connect to Internet FTP servers
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
# Redirect OpenSSH traffic to internal server
$RDR $openssh_port - $openssh_int_addr port $openssh_port
# Redirect Terminal Server traffic to internal server
$RDR $ts_port - $ts_int_addr port $ts_port
# Redirect Web traffic
$RDR $web_port - $web_int_addr port $web_port
$RDR $web_ssl_port - $web_int_addr port $web_ssl_port
# Redirect PPTP traffic to internal server
$RDR $pptp_port - $vpn_int_addr port $pptp_port
rdr pass on $ext_if proto $gre from any to $ext_addr - $vpn_int_addr
# Redirect L2TP traffic to internal server
#$RDR_UDP $l2tp_port - $vpn_int_addr port $l2tp_port
$RDR_UDP $isakmp_port - $vpn_int_addr port $isakmp_port
$RDR_UDP $natt_port - $vpn_int_addr port $natt_port
#rdr pass on $ext_if proto $esp from any to $ext_addr - $vpn_int_addr
#rdr pass on $ext_if proto $ah from any to $ext_addr - $vpn_int_addr
# == DEFAULT DENY
block all
# pass all traffic on the loopback interface
pass quick on lo0 all
# block all traffic coming from/to private networks on the external interface
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# open port for incoming allowed TCP traffic on the external interface
pass in on $ext_if inet proto tcp from any to \
$ext_if port $tcp_services flags S/SA keep state
# open allowed ICMP traffic
pass in inet proto icmp all icmp-type $icmp_types keep state
# permit all traffic trhough the internal interface
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
# permit all outgoing traffic to the Internet
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
# permit incoming connections to ftp-proxy
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
--
G [EMAIL PROTECTED]
I -
T Juan Pablo Feria Gomez. h
/Network Administrator/Transportes Pitic S.A. de C.V. +
M +
Ud?s+:+a-C++ULBP+L++$E---W++N--o--wM-PS+PE++Yt---X--R--tv--D+G e
You know you've spent too much time on the computer when you spill milk and the first
thing you think is, 'edit, undo.'
