Re: Replace PF rule + inetd Proxy with 2 PF rules

[Nick Gustas]

On 2/14/2020 11:21 AM, Fabio Martins wrote:
I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.

Unfortunately still no success.

# pf.conf:

ext_if="xnf0"

match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
rdr-to 129.128.5.194 port 80

match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \
$ext_if nat-to $ext_if

match out log quick on $ext_if inet all tagged RDR \
nat-to $ext_if

server_open="{ 80,110,443,25,587,465 }"

pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if
port $server_open tag n_traffic

#block all to start
block all
pass quick tagged RDR
pass quick tagged n_traffic
pass out on $ext_if



On 2/14/2020 6:30 AM, Fabio Martins wrote:
Hi Nick,

Thanks. I applied both rules below, unfortunately I am still only
hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.

#1
match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25 \
rdr-to 200.200.200.200 port 2222

#2
match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on
\
$ext_if nat-to ($ext_if)

--
Fabio Martins

Odd, are you allowing the traffic with an appropriate pass rule later?

I use tagging for rules related to rdr and nat to keep things simple,
here is the full working setup I used to bounce port 8099 on the
external interface to www.openbsd.org port 80.

#Fun reverse redirection of www.openbsd.org
match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR
rdr-to 129.128.5.194 port 80
match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on
$ext_if nat-to $ext_if

#block all to start
block log all
pass quick tagged RDR
pass out on $ext_if


Make sure you are testing from an external host of course.







May be a dumb question, but do you have net.inet.ip.forwarding=1 set?


tcpdump of a successful test connection:
c.c.c.c = remote test client on internet
r.r.r.r = firewall external IP

pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194
tcpdump: listening on vmx1, link-type EN10MB
14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0) 
win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK> [tos 0x20]
14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S 
3178148684:3178148684(0) win 64240 <mss 1460,nop,wscale 
8,nop,nop,sackOK> [tos 0x20]
14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S 
3355699325:3355699325(0) ack 3178148685 win 16384 <mss 
1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20]
14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0) 
ack 3178148685 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6> [tos 0x20]
14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20]
14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win 
1026 [tos 0x20]
14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos 
0x20]
14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win 
1026 [tos 0x20]
14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436 
win 273 (DF) [tos 0x20]
14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack 
436 win 273 (DF) [tos 0x20]
14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win 
273 [tos 0x20]
14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436 
win 273 [tos 0x20]