Re: pf and apache

Fri, 01 Mar 2013 09:25:05 -0800 

Hello,

If You are using only redirections, source host will receive SYN-ACK
from 192.168.1.70, but there was not previously SYN to this address, so
source host will send TCP Reset. Solution may be:

pass in on $int_if proto tcp from $int_if:network to any port 80 rdr-to
192.168.1.70
pass out on $int_if proto tcp from $int_if:network to any port 80
received-on $int_if nat-to $int_if


W dniu 01.03.2013 06:07, Matt Morrow pisze:
> I have pf running on an openbsd box handling port forwarding. All ports
> seem to forward ok except for port 80.
> 
> Apache is running on a slackware box. I can access apache just fine
> internally by using the ip address of that server (192.168.1.70), but if I
> access the ip of the openbsd box (192.168.1.60) I just get an error that
> the server is not available. It should be forwarding port 80 to the
> slackware box.
> 
> Here is my pf.conf
> -----------------------------
> ext_if = "rl0"
> int_if = "em0"
> 
> icmp_types="echoreq"
> set block-policy return
> set loginterface egress
> 
> set skip on lo
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> block in log
> pass out log quick
> antispoof quick for { lo $int_if }
> 
> #################################
> #   port forwarding
> #################################
> pass in on $ext_if proto tcp from any to any port 80 rdr-to 192.168.1.70
> port 80
> pass in on $int_if proto tcp from any to any port 80 rdr-to 192.168.1.70
> port 80
> pass in on $ext_if proto tcp from any to any port 6699 rdr-to 192.168.1.60
> port 22
> pass in on $ext_if proto tcp from any to any port 51413 rdr-to
> 192.168.1.105 port 51413
> pass in on $ext_if proto udp from any to any port 51413 rdr-to
> 192.168.1.105 port 51413
> pass in on $int_if proto udp from any to any port 58846 rdr-to
> 192.168.1.101 port 6881
> pass in on $ext_if proto tcp from any to any port 9000 rdr-to 192.168.1.105
> port 81
> 
> ############################################################
> #pass in log (all) inet proto icmp all icmp-type $icmp_types
> pass in log (all) on $int_if

Reply via email to