PF and MS RDP trouble (help!)

Sun, 09 Apr 2006 15:52:07 -0700 

Hello everyone!

I'm having a bit of trouble trying to access a Windows 2003 server
that is behind an OpenBSD 3.9 -current firewall.

>From the LAN, I can remote access the 2k3 server easily, by just
opening the mstsc and entering the machine's IP (192.168.0.1).
The problem is, I want to access the 2k3 server from home, and my PF
rules aren't working =(
I try to connect to the firewall's external IP via the ms terminal
service client, but my connection times out...

Here's my pf.conf

#BEGIN
lab_if = "em0" # i'm still not using it.
adm_if = "rl0"
ext_if = "rl1"

tcp_services = "{ 22, 113  }"
icmp_types = "echoreq"
priv_nets = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8  }"

set block-policy return
set loginterface $ext_if

scrub in all

nat on $ext_if from $adm_if:network to any -> $ext_if

#RDP rdr rule
rdr on $ext_if proto tcp from any to $ext_if port 3389 -> 192.168.0.1 port 3389

block all

pass quick on lo0 all

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# RDP (MS Terminal Service)
pass in on $ext_if proto tcp from any to any port 3389

pass in on $ext_if inet proto tcp from any to $ext_if \
 port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $adm_if from $adm_if:network to any keep state
#pass in on $lab_if from $lab_if:network to any keep state

pass out on $adm_if from any to $adm_if:network keep state
#pass out on $lab_if from any to $lab_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#END

I think I'm missing something very obvious here... so, better ask the
list than slam my head on the wall :D

Also, as one can see from the .conf file, I have two networks, ADM
(192.168.0.0/24) and LAB (192.168.1.0/24), that must be isolated from
each other. I still haven't figured that one out yet. Anyone willing
to give me some light onto this matter?

Thanks in advance, and kudos for everyone that makes OpenBSD a great OS :)

Reply via email to