2010/3/17 N. Arley Dealey <arley.dea...@gmail.com>
> Help! I'm obviously overlooking something really obvious but I just can't
> see it.
>
> I'm building my first PF-based router/firewall using OpenBSD 4.6. For now,
> what I
> need it to do is pretty simple:
>
> 1. Allow all outbound traffic via NAT and allow all inbound responses.
> 2. Allow only ssh and auth to the external interface.
> 3. Redirect to ports (2000 & 4200) to two different hosts on the
> internal net.
>
> I've created a minimal pf.conf file that I thought would accomplish this.
> Goals
> 1 & 2 are working fine (I can connect outbound from hosts on the internal
> net
> and I can connect to the firewall inbound via ssh) but the redirections are
> not
> going anywhere.
>
> I don't know what to do next other than enable logging, fire up tcpdump and
> try
> to see what is actually happening. But I thought I'd ask first if anybody
> more
> familiar with pf can see something fundamentally flawed with my config.
>
> Here is the pf.conf (slightly edited to obscure the actual IPs)
> # pf.conf: agilulf.det2.gw00
>
>
> #################################################################################
> # MACROS
>
> #--------------------------------------------------------------------------------
>
> # interfaces
> ifExt = "fxp0" # 66.b.c.118
> ifInt = "fxp1" # 192.x.y.2
>
>
> ################################################################################
> # OPTIONS
>
> #--------------------------------------------------------------------------------
>
> set block-policy return
> set loginterface $ifExt
> set skip on lo
>
>
> ################################################################################
> # NAT & Redirection
>
> #--------------------------------------------------------------------------------
>
> nat on $ifExt from !$ifExt -> $ifExt:0
>
> rdr pass on $ifExt proto tcp from any to any port 4200 -> 192.x.y.40 port
> 4200
> rdr pass on $ifExt proto tcp from any to any port 2000 -> 192.x.y.21 port
> 2000
>
>
> #################################################################################
> # FILTER RULES
>
> #--------------------------------------------------------------------------------
>
> block in
> pass out keep state
>
> # internal clients
> pass in quick on $ifInt
>
> # external
> pass in inet proto icmp all icmp-type echoreq
> pass in on $ifExt inet proto tcp from any to $ifExt port { ssh, auth }
>
> ###EoF###
>
>
> And here is the result of loading pf.conf
> # pfctl -vf /etc/pf.conf
> ifExt = "fxp0"
> ifInt = "fxp1"
> set block-policy return
> set loginterface fxp0
> set skip on { lo }
> nat on fxp0 inet from ! 66.b.c.118 to any -> 66.b.c.118
> rdr pass on fxp0 inet proto tcp from any to any port = 4200 ->
> 192.x.y.40 port 4200
> rdr pass on fxp0 inet proto tcp from any to any port = 2000 ->
> 192.x.y.21 port 2000
> block return in all
> pass out all flags S/SA keep state
> pass in quick on fxp1 all flags S/SA keep state
> pass in on fxp0 inet proto tcp from any to 66.b.c.118 port = ssh flags
> S/SA keep state
> pass in on fxp0 inet proto tcp from any to 66.b.c.118 port = auth flags
> S/SA keep state
> pass in inet proto icmp all icmp-type echoreq keep state
> #
>
> From the firewall box, I can ping and traceroute successfully to the two
> destination
> hosts for the redirections and I can connect to the destination ports of
> the redirections.
> I just can't make the redirected connections via the external interface of
> the firewall.
>
> Any help would be greatly appreciated.
>
>
Hi,
maybe you forget a pass rule to allow traffic on port 2000 and 4200?
Let me know any news,
best regards.
--
Matteo Filippetto
