Timothy, I don't see where is you pass rules for redirected traffic on for both external and internal (if you don`t skip it) interfaces ?
You have to add these pass rules to pf, it's pretty straightforward. -- Thanks! Evgeniy Sudyr >pass in on $ext_nic proto tcp from any to 192.168.1.227 port ssh queue ssh >pass in on $ext_nic proto tcp from any to 192.168.1.227 port www queue www On Fri, Sep 3, 2010 at 1:12 AM, Timothy Beyer <timot...@titaniumant.com> wrote: > Here's some log output. B I forgot to note this is on OpenBSD 4.2. B The first > entry is a successful connection to one of the working redirects. B Connection > attempts to the redirect I'm trying to add don't show up in the log even after > adding a log directive in the filter rules. > > -T > > > B tcpdump: listening on pflog0, link-type PFLOG > Sep 02 15:00:13.263016 rule 24/(match) pass in on fxp0: 75.xxx.xxx.209.51635 > > 192.168.1.16.22: [|tcp] (DF) > Sep 02 15:00:14.783786 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780 >> 38.xxx.xxx.206.53:[|domain] > Sep 02 15:00:15.529433 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780 >> 38.xxx.xxx.206.53:[|domain] > Sep 02 15:00:16.279410 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780 >> 38.xxx.xxx.206.53:[|domain] > Sep 02 15:00:17.779913 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780 >> 38.xxx.xxx.206.53:[|domain] > Sep 02 15:00:18.529400 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780 >> 38.xxx.xxx.206.53:[|domain] > Sep 02 15:00:19.279498 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780 >> 38.xxx.xxx.206.53:[|domain] > Sep 02 15:00:20.780050 rule 0/(match) block in on fxp0: 208.xxx.xxx.236 > > 38.xxx.xxx.206: icmp: echo request > Sep 02 15:00:21.529443 rule 0/(match) block in on fxp0: 208.xxx.xxx.236 > > 38.xxx.xxx.206: icmp: echo request > Sep 02 15:00:22.280000 rule 0/(match) block in on fxp0: 208.xxx.xxx.236 > > 38.xxx.xxx.206: icmp: echo request > ________________________________ > From: sven falempin [sven.falem...@gmail.com] > Sent: Thursday, September 02, 2010 2:05 PM > To: Timothy Beyer > Cc: misc@openbsd.org > Subject: Re: pf redirect problem > > tcpdump on pflog will probably help (see the FAQ) > > 2010/9/2 Timothy Beyer > <timot...@titaniumant.com<mailto:timot...@titaniumant.com>> > Hello, > > I'm having trouble setting up a redirect rule and I'm not sure where I'm > going > wrong. B My redirect line and filter rules look like: > > rdr on $ext_nic proto tcp from any to 38.xxx.xxx.213 -> 192.168.1.227 > pass in on $ext_nic proto tcp from any to 192.168.1.227 port ssh queue ssh > pass in on $ext_nic proto tcp from any to 192.168.1.227 port www queue www > > The output of 'pfctl -s nat' is: > > nat on fxp0 inet from 192.168.1.0/24<http://192.168.1.0/24> to any -> > 38.xxx.xxx.206 > nat on fxp0 inet from 192.168.2.0/24<http://192.168.2.0/24> to any -> > 38.xxx.xxx.207 > nat on fxp0 inet from 192.168.3.0/24<http://192.168.3.0/24> to any -> > 38.xxx.xxx.208 > nat on dc3 inet from 192.168.1.0/24<http://192.168.1.0/24> to any -> > 192.168.10.156 > nat on fxp0 inet from 192.168.10.15 to any -> 38.xxx.xxx.206 > rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.209 -> 192.168.1.16 > rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.210 -> 192.168.1.21 > rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.212 -> 192.168.1.12 > rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.211 -> 192.168.1.24 > rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.213 -> 192.168.1.227 > > All of the other redirects are working. B I see my filter rule in the output > from 'pfctl -s rules' but I can't connect via ssh from an external network > after reloading pf.conf. B Any insight would be very much appreciated. B I've > posted my full conf at http://pastebin.com/TZa0WzE0 if needed. > > Thanks, > > Tim > > > > > -- > B No doubt it is one of the functions of art to replace religious faith by the > effective ingredient of beauty. At least beauty must have the power of a poem, > that is to say of a crime . > > -- -- With regards, Eugene Sudyr
