You're using keep state in other places. Why is it missing from "pass
in on $ext_if proto tcp from any to any port 3389?"
Leonardo Rodrigues wrote:
> I'm having a bit of trouble trying to access a Windows 2003 server
> that is behind an OpenBSD 3.9 -current firewall.
>
> From the LAN, I can remote access the 2k3 server easily, by just
> opening the mstsc and entering the machine's IP (192.168.0.1).
> The problem is, I want to access the 2k3 server from home, and my PF
> rules aren't working =(
> I try to connect to the firewall's external IP via the ms terminal
> service client, but my connection times out...
>
> Here's my pf.conf
>
> #BEGIN
> lab_if = "em0" # i'm still not using it.
> adm_if = "rl0"
> ext_if = "rl1"
>
> tcp_services = "{ 22, 113 }"
> icmp_types = "echoreq"
> priv_nets = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8
> }"
>
> set block-policy return
> set loginterface $ext_if
>
> scrub in all
>
> nat on $ext_if from $adm_if:network to any -> $ext_if
>
> #RDP rdr rule
> rdr on $ext_if proto tcp from any to $ext_if port 3389 -> 192.168.0.1
> port 3389
>
> block all
>
> pass quick on lo0 all
>
> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
>
> # RDP (MS Terminal Service)
> pass in on $ext_if proto tcp from any to any port 3389
>
> pass in on $ext_if inet proto tcp from any to $ext_if \
> port $tcp_services flags S/SA keep state
>
> pass in inet proto icmp all icmp-type $icmp_types keep state
>
> pass in on $adm_if from $adm_if:network to any keep state
> #pass in on $lab_if from $lab_if:network to any keep state
>
> pass out on $adm_if from any to $adm_if:network keep state
> #pass out on $lab_if from any to $lab_if:network keep state
>
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
> #END
>
> I think I'm missing something very obvious here... so, better ask the
> list than slam my head on the wall :D
