Well I haven't set this up yet, I'm still writing my ruleset. Is that line EXACTLY as it is in the config file? If so, shouldn't you put it all on one line or continue with a \ character?
TimH > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Bob Miller > Sent: Monday, October 29, 2001 4:08 PM > To: [EMAIL PROTECTED] > Subject: [EUG-LUG:3514] Can't get pf rdr to work. > > > Since both of our OpenBSD experts are reading mail this afternoon, > let me pose the question that I sent to [EMAIL PROTECTED] earlier > today. > > K<bob> > > -------------------------------------------------------------- > --------------- > I'm building a firewall/router from OpenBSD 3.0-current, and I'm using > the new pf for filtering and NAT. > > I can't get the rdr statement to work right in /etc/nat.conf. > > The external interface is dc0, a Macronix 98715. It is listening on 3 > static IP addresses out of a /29 subnet. There are four internal > interfaces, de0-de3, on a LinkSys DFE-570TX four-port card. > > The 192.168.0.0/24 net is attached to de0. I want to redirect ssh > connections from outside to host 192.168.0.4. > > So I added this rule to /etc/nat.conf. (reformatted for mail) > > rdr on dc0 proto tcp from any to 216.210.236.194 port ssh > -> 192.168.0.4 port ssh > > It doesn't work. tcpdump shows that pf thinks it's routing packets to > de0, but they don't come out of de0. An external packet sniffer can't > see them, and of course, sshd on 192.168.0.4 doesn't get them. > > Other traffic does go through de0 just fine, so it's not like the > cable isn't plugged in. (-: > > What am I missing? > > Thanks in advance... > > Below is a typescript demonstrating the problem and showing the system > configuration. > > K<bob> > > -------------------------------------------------------------- > ---------------- > Script started on Mon Oct 29 12:53:14 2001 > fw ~> sudo ./way-too-much-info.sh > Password: > > > > ========== sniffing: sleep 60 ========== > (external host 207.189.131.4 tries to ssh to > 216.210.236.194) > > > > 12:53:32.312264 dc0 (extern) arp who-has 216.210.236.194 tell > 216.210.236.193 > 12:53:32.312305 dc0 (extern) arp reply 216.210.236.194 is-at > 0:80:c6:f9:8c:6 > 12:53:32.312868 dc0 (extern) 207.189.131.4.7812 > > 216.210.236.194.22: tcp 0 (DF) > 12:53:32.312917 rule 0/0(match): pass in on dc0: > 207.189.131.4.7812 > 192.168.0.4.22: tcp 0 (DF) > 12:53:32.312972 rule 1/0(match): pass out on de0: > 207.189.131.4.7812 > 192.168.0.4.22: tcp 0 (DF) > 12:53:35.309094 dc0 (extern) 207.189.131.4.7812 > > 216.210.236.194.22: tcp 0 (DF) > 12:53:35.309176 rule 1/0(match): pass out on de0: > 207.189.131.4.7812 > 192.168.0.4.22: tcp 0 (DF) > 12:53:41.306736 dc0 (extern) 207.189.131.4.7812 > > 216.210.236.194.22: tcp 0 (DF) > 12:53:41.306809 rule 1/0(match): pass out on de0: > 207.189.131.4.7812 > 192.168.0.4.22: tcp 0 (DF) > 12:54:21.959866 de0 (intern) arp who-has 192.168.0.5 tell > 192.168.0.116 > > > > ========== sniffing: telnet 192.168.0.4 ssh ========== > (192.168.0.4 accepts ssh connections) > > Trying 192.168.0.4... > Connected to 192.168.0.4. > Escape character is '^]'. > SSH-2.0-OpenSSH_2.9.9p2 > Connection closed by foreign host. > > > 12:54:40.417132 rule 1/0(match): pass out on de0: > 192.168.0.2.44596 > 192.168.0.4.22: tcp 0 (DF) [tos 0x10] > 12:54:40.417318 de0 (intern) arp who-has 192.168.0.2 tell 192.168.0.4 > 12:54:40.417418 de0 (intern) 192.168.0.4.22 > > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.417438 rule 0/0(match): pass in on de0: > 192.168.0.4.22 > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.417507 rule 1/0(match): pass out on de0: > 192.168.0.2.44596 > 192.168.0.4.22: tcp 0 (DF) [tos 0x10] > 12:54:40.418928 de0 (intern) 192.168.0.4.22 > > 192.168.0.2.44596: tcp 24 (DF) > 12:54:40.418988 rule 0/0(match): pass in on de0: > 192.168.0.4.22 > 192.168.0.2.44596: tcp 24 (DF) > 12:54:40.419641 rule 1/0(match): pass out on de0: > 192.168.0.2.44596 > 192.168.0.4.22: tcp 0 (DF) [tos 0x10] > 12:54:40.419968 rule 1/0(match): pass out on de0: > 192.168.0.2.44596 > 192.168.0.4.22: tcp 0 (DF) [tos 0x10] > 12:54:40.420142 de0 (intern) 192.168.0.4.22 > > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.420175 rule 0/0(match): pass in on de0: > 192.168.0.4.22 > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.421015 de0 (intern) 192.168.0.4.22 > > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.421067 rule 0/0(match): pass in on de0: > 192.168.0.4.22 > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.421170 rule 1/0(match): pass out on de0: > 192.168.0.2.44596 > 192.168.0.4.22: tcp 0 (DF) [tos 0x10] > > > > ========== dmesg ========== > > OpenBSD 3.0-beta (GENERIC) #0: Fri Oct 19 01:59:24 PDT 2001 > kbob@fw:/usr/src/sys/arch/i386/compile/GENERIC > cpu0: Intel Celeron (Mendocino) ("GenuineIntel" 686-class, > 128KB L2 cache) 468 MHz > cpu0: > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SYS,MTRR,PGE,MCA,CMOV,PAT,P > SE36,MMX,FXSR > real mem = 65634304 (64096K) > avail mem = 55537664 (54236K) > using 826 buffers containing 3383296 bytes (3304K) of memory > mainbus0 (root) > bios0 at mainbus0: AT/286+(49) BIOS, date 10/28/99, BIOS32 > rev. 0 @ 0xf06b0 > apm0 at bios0: Power Management spec V1.2 > apm0: AC on, battery charge unknown > pcibios0 at bios0: rev. 2.1 @ 0xf0000/0xf02 > pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xf0e70/144 (7 entries) > pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB > PCI-ISA" rev 0x00) > pcibios0: PCI bus #2 is the last bus > bios0: ROM list: 0xc0000/0x8000 > pci0 at mainbus0 bus 0: configuration mode 1 (no bios) > pchb0 at pci0 dev 0 function 0 "Intel 82810" rev 0x03: rng > active, 9Kb/sec > vga1 at pci0 dev 1 function 0 "Intel 82810 Graphics" rev 0x03 > wsdisplay0 at vga1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > ppb0 at pci0 dev 30 function 0 "Intel 82801AA Hub-to-PCI" rev 0x02 > pci1 at ppb0 bus 1 > dc0 at pci1 dev 8 function 0 "Macronix PMAC 98715" rev 0x25: > irq 11 address 00:80:c6:f9:8c:06 > dcphy0 at dc0 phy 31: internal PHY > ppb1 at pci1 dev 9 function 0 "DEC 21152 PCI-PCI" rev 0x03 > pci2 at ppb1 bus 2 > de0 at pci2 dev 4 function 0 "DEC 21142/3" rev 0x41: irq 10 > de0: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:95 > de1 at pci2 dev 5 function 0 "DEC 21142/3" rev 0x41: irq 12 > de1: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:96 > de2 at pci2 dev 6 function 0 "DEC 21142/3" rev 0x41: irq 5 > de2: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:97 > de3 at pci2 dev 7 function 0 "DEC 21142/3" rev 0x41: irq 11 > de3: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:98 > pcib0 at pci0 dev 31 function 0 "Intel 82801AA LPC" rev 0x02 > pciide0 at pci0 dev 31 function 1 "Intel 82801AA IDE" rev > 0x02: DMA, channel 0 wired to compatibility, channel 1 wired > to compatibility > wd0 at pciide0 channel 0 drive 0: <IBM-DTTA-371440> > wd0: 16-sector PIO, LBA, 13783MB, 16383 cyl, 16 head, 63 sec, > 28229040 sectors > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 > uhci0 at pci0 dev 31 function 2 "Intel 82801AA USB" rev 0x02: irq 5 > usb0 at uhci0: USB revision 1.0 > uhub0 at usb0 > uhub0: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 > uhub0: 2 ports with 2 removable, self powered > "Intel 82801AA SMBus" rev 0x02 at pci0 dev 31 function 3 not > configured > auich0 at pci0 dev 31 function 5 "Intel 82801AA AC-97 Audio" > rev 0x02: irq 10 ICH AC97 > ac97: codec id 0x41445340 (Analog Devices AD1881) > ac97: codec features headphone, Analog Devices Phat Stereo > audio0 at auich0 > isa0 at pcib0 > isadma0 at isa0 > pckbc0 at isa0 port 0x60/5 > pckbd0 at pckbc0 (kbd slot) > pckbc0: using irq 1 for kbd slot > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pcppi0 at isa0 port 0x61 > midi0 at pcppi0: <PC speaker> > sysbeep0 at pcppi0 > lpt0 at isa0 port 0x378/4 irq 7 > npx0 at isa0 port 0xf0/16: using exception 16 > pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo > biomask 4020 netmask 5c20 ttymask 5ca2 > pctr: 686-class user-level performance counters enabled > mtrr: Pentium Pro MTRR support > dkcsum: wd0 matched BIOS disk 80 > root on wd0a > rootdev=0x0 rrootdev=0x300 rawdev=0x302 > de0: enabling 100baseTX port > de1: enabling 10baseT port > de1: abnormal interrupt: receive process stopped > de2: autosense failed: cable problem? > de3: autosense failed: cable problem? > > > > ========== cat /etc/sysctl.conf ========== > > # $OpenBSD: sysctl.conf,v 1.24 2001/08/07 14:07:47 deraadt Exp $ > # > # This file contains a list of sysctl options the user wants set at > # boot time. See sysctl(3) and sysctl(8) for more information on > # the many available variables. > # > net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) > of packets > #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) > of packets > #net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf > (forwarding must be 0) > #net.inet.tcp.rfc1323=0 # 0=disable TCP RFC1323 > extensions (for if tcp is slow) > net.inet.esp.enable=1 # 0=Disable the ESP IPsec protocol > net.inet.ah.enable=1 # 0=Disable the AH IPsec protocol > #net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol > #ddb.panic=0 # 0=Do not drop into ddb on a > kernel panic > #ddb.console=1 # 1=Permit entry of ddb > from the console > #fs.posix.setuid=0 # 0=Traditional BSD chown() semantics > vm.swapencrypt.enable=1 # 1=Encrypt pages that > go to swap > #vfs.nfs.iothreads=4 # number of nfsio kernel threads > #net.inet.ip.mtudisc=0 # 0=disable tcp mtu discovery > > > > ========== pfctl -s all ========== > > @0 pass in log all > @1 pass out log all > @nat on dc0 from 192.168.0.0/24 to any -> 216.210.236.194 > @nat on dc0 from 192.168.1.0/24 to any -> 216.210.236.195 > @nat on dc0 from 192.168.2.0/24 to any -> 216.210.236.196 > @rdr on dc0 proto tcp from any to 216.210.236.194/32 port 22 > -> 192.168.0.4 port 22 > @rdr on de1 proto tcp from any to 216.210.236.194/32 port 22 > -> 192.168.0.4 port 22 > @rdr on de2 proto tcp from any to 216.210.236.194/32 port 22 > -> 192.168.0.4 port 22 > Status: Enabled Time: 1004388888 Since: 1004380160 Debug: None > Bytes In IPv4: 0 Bytes Out: 0 > IPv6: 0 Bytes Out: 0 > Inbound Packets IPv4: Passed: 0 Dropped: 0 > IPv6: Passed: 0 Dropped: 0 > Outbound Packets IPv4: Passed: 0 Dropped: 0 > IPv6: Passed: 0 Dropped: 0 > States: 0 > pf Counters > state searches 208792 > state inserts 11 > state removals 11 > Counters > match 155896 > bad-offset 0 > fragment 0 > short 0 > normalize 0 > memory 0 > > > > ========== ifconfig -A ========== > > lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33224 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224 > dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > media: Ethernet autoselect (10baseT) > status: active > inet 216.210.236.194 netmask 0xfffffff8 broadcast > 216.210.236.199 > inet6 fe80::280:c6ff:fef9:8c06%dc0 prefixlen 64 scopeid 0x1 > inet 216.210.236.195 netmask 0xffffffff broadcast > 216.210.236.195 > inet 216.210.236.196 netmask 0xffffffff broadcast > 216.210.236.196 > de0: > flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > media: Ethernet autoselect (100baseTX) > status: active > inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255 > inet6 fe80::280:c8ff:feb9:b195%de0 prefixlen 64 scopeid 0x2 > de1: > flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > media: Ethernet autoselect (10baseT) > status: active > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > inet6 fe80::280:c8ff:feb9:b196%de1 prefixlen 64 scopeid 0x3 > de2: > flags=8c63<UP,BROADCAST,NOTRAILERS,RUNNING,OACTIVE,SIMPLEX,MUL > TICAST> mtu 1500 > media: Ethernet autoselect > inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 > inet6 fe80::280:c8ff:feb9:b197%de2 prefixlen 64 scopeid 0x4 > de3: > flags=8c63<UP,BROADCAST,NOTRAILERS,RUNNING,OACTIVE,SIMPLEX,MUL > TICAST> mtu 1500 > media: Ethernet autoselect > inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255 > inet6 fe80::280:c8ff:feb9:b198%de3 prefixlen 64 scopeid 0x5 > pflog0: flags=41<UP,RUNNING> mtu 33224 > sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296 > sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296 > ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > tun0: flags=10<POINTOPOINT> mtu 3000 > tun1: flags=10<POINTOPOINT> mtu 3000 > enc0: flags=0<> mtu 1536 > bridge0: flags=0<> mtu 1500 > bridge1: flags=0<> mtu 1500 > vlan0: flags=0<> mtu 1500 > vlan1: flags=0<> mtu 1500 > gre0: flags=8010<POINTOPOINT,MULTICAST> mtu 1450 > gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 > gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 > gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 > gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 > > > > ========== netstat -rnfinet ========== > > Routing tables > > Internet: > Destination Gateway Flags Refs Use > Mtu Interface > default 216.210.236.193 UGS 0 9 > 1500 dc0 > 127/8 127.0.0.1 UGRS 0 0 > 33224 lo0 > 127.0.0.1 127.0.0.1 UH 4 10 > 33224 lo0 > 192.168.0/24 link#2 UC 0 0 > 1500 de0 > 192.168.0.4 0:48:54:67:2c:4e UHL 2 37348 > 1500 de0 > 192.168.1/24 link#3 UC 0 0 > 1500 de1 > 192.168.1.103 0:30:65:2e:6:bd UHL 0 0 > 1500 de1 > 192.168.2/24 link#4 UC 0 0 > 1500 de2 > 192.168.3/24 link#5 UC 0 0 > 1500 de3 > 216.210.236.192/29 link#1 UC 0 0 > 1500 dc0 > 216.210.236.193 0:20:6f:7:df:74 UHL 1 0 > 1500 dc0 > 216.210.236.194 127.0.0.1 UGHS 0 71851 > 33224 lo0 > 216.210.236.195 127.0.0.1 UGHS 0 0 > 33224 lo0 => > 216.210.236.195/32 link#1 UC 0 0 > 1500 dc0 > 216.210.236.196 127.0.0.1 UGHS 0 0 > 33224 lo0 => > 216.210.236.196/32 link#1 UC 0 0 > 1500 dc0 > 224/4 127.0.0.1 URS 0 0 > 33224 lo0 > > > > ========== cat way-too-much-info.sh ========== > > #!/bin/sh > > # Temporarily stop pflogd and bypass the packet filter. > > kill `ps ax | awk '/pfl\ogd/{print $1}'` > pfctl -R - -N /etc/nat.conf <<EOF > pass in log all > pass out log all > EOF > > # use: do_and_sniff comment command... > > function do_and_sniff { > > comment="$1"; shift > echo "\n\n\n========== sniffing: $@ ==========\n > ($comment)\n" > > # Start logging packets at the packet filter and at de0 and dc0. > > rm -f /tmp/pf.dump /tmp/dc0.dump /tmp/de0.dump > pflogd -d 5 -D -f /tmp/pf.dump 2> /dev/null & > logdpid=$! > tcpdump -p -w /tmp/dc0.dump -i dc0 2> /dev/null & > dc0pid=$! > tcpdump -p -w /tmp/de0.dump -i de0 2> /dev/null & > de0pid=$! > sleep 2 # wait for tcpdumps to start > > # Run the command. > > "$@" > sleep 6 # wait for tcpdumps to finish > > # Stop logging packets. > > kill $logdpid $dc0pid $de0pid > sleep 2 > > # Show the packets. Sort by timestamp. > > echo "\n" > { > tcpdump -qner /tmp/pf.dump > tcpdump -qnr /tmp/dc0.dump | sed 's/ / dc0 (extern) /' > tcpdump -qnr /tmp/de0.dump | sed 's/ / de0 (intern) /' > } | sort -n > } > > # Demonstrate the problem. > > do_and_sniff \ > "external host 207.189.131.4 tries to ssh to 216.210.236.194" \ > sleep 60 > > # Demonstrate that sshd on 192.168.0.4 is working. > > do_and_sniff \ > "192.168.0.4 accepts ssh connections" \ > telnet 192.168.0.4 ssh < /dev/null > > # Print various system info > > function show { > echo "\n\n\n========== $@ ==========\n" > "$@" > } > > show dmesg > show cat /etc/sysctl.conf > show pfctl -s all > show ifconfig -A > show netstat -rnfinet > show cat way-too-much-info.sh > > # Restore packet filter and pflogd. > > pfctl -R /etc/pf.conf -N /etc/nat.conf > pflogd > > fw ~> exit > > Script done on Mon Oct 29 12:55:41 2001 >
