Anathae Townsend wrote:
>
> I am currently trying to open up a few ports on my firewall
> to allow an
> internal
> windows home server to provide services to the outside world.
>
> My OpenBSD version is OpenBSD 4.5-current (GENERIC) #6: Sat
> May 16 21:50:41
> MDT 2009
>
> I am trying to use the simple proxy method mentioned in the faq on the
> OpenBSD.org to
> forward internal requests to the external ip address to the
> home server.
>
> However, I can't get there from here. Neither internal nor external
> requests to the
on page 58 of Hansteen's excellent "The Book of PF" there is an incantation.
-- from slightly sanitized /etc/pf.conf
-- OpenBSD vintage aprox 4.4
-- scrub is now automatic, ftp-proxy may have changed
Both local and internet refer to the server (Linux) by the one external IP
(on the OpenBSD gateway/firewall/router), including the local server talking
to itself (and it does a lot of that).
Seems like the last two lines below are the critical ones.
scrub in ## this would be redundant and wrong on -current
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port $services -> $server
### (p 58 The Book of PF )
rdr on $int_if proto tcp from $localnet to $ext_if port $services -> $server
no nat on $int_if proto tcp from $int_if to $localnet
nat on $int_if proto tcp from $localnet to $server port $services -> $int_if
> external ip address work. A msdos telnet session to the external ip
> address, port 25
> returns an SMTP 421 error immediately and exits.
>
> Any help on opening up these ports would be greatly
> appreciated, below is my
> current
> pf.conf, as well as (slightly edited) output of ifconfig for
> the internal
> (ingress)
> and external (egress) interfaces on the firewall.
>
> NAT is working internally, and I am able to both send email
> and read web
> pages (among
> other stuff.)
>
> --pf.conf-----------------------------------------------------
> --------------
> ----------
> # pf.conf created july 6, 2009
> # author: Anathae Townsend
>
> # macros
> homeserv = "192.168.0.195"
> homeport = "{http, https, 4125, smtp, pop3, imap }"
>
> # skip loop back, makes rules quicker
> set skip on lo
>
> # redirects for home server
> rdr on egress proto tcp from any to egress port $homeport -> $homeserv
>
> # redirects for internal web access to proxy server
> rdr on ingress proto tcp from ingress:network to egress port
> 80 -> 127.0.0.1
> port 5000
>
> # NAT rules to allow inside->out
> nat on egress from ingress:network -> (egress)
>
> # allow internal systems to make connection
> pass in # to establish keep-state
>
> # allow home server services
> pass proto tcp from any to $homeserv port $homeport synproxy state
> pass proto tcp from $homeserv to any port smtp synproxy state
>
> # By default, do not permit remote connections to X11
> block in on ! lo0 proto tcp from any to any port 6000
> --ifconfig
> sk0-----------------------------------------------------------
> -------------
> sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:1e:58:ab:13:8c
> priority: 0
> groups: ingress
> media: Ethernet autoselect (1000baseT
> full-duplex,rxpause,txpause)
> status: active
> inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
> inet 192.168.0.51 netmask 0xffffff00 broadcast 192.168.0.255
> --ifconfig
> rl0-----------------------------------------------------------
> -------------
> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:05:5d:d2:6e:48
> priority: 0
> groups: egress
> media: Ethernet autoselect (10baseT half-duplex)
> status: active
> inet #.#.#.# netmask 0xffffff80 broadcast #.#.#.#
