On 12 sep 2010, at 00.39, Per-Olov Sjvholm wrote:
> On 11 sep 2010, at 23.49, Per-Olov Sjvholm wrote:
>
>>
>> On 10 sep 2010, at 21.24, Peter N. M. Hansteen wrote:
>>
>>> Per-Olov Sjvholm <p...@incedo.org> writes:
>>>
>>>> It seems the first one is unable to convert as is seems "no match in
> on..."
>>>> does not work.
>>>
>>> Off the top of my head, move the rdr-to bits to your pass rules, make
>>> sure the pass rule without the rdr-to is either the last or a
>>> quick. Or use a negation in the criteria for your match rule. Hard to
>>> be more specific without the full rule set.
>>>
>>> - P
>>> --
>>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
>>> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
>>> "Remember to set the evil bit on all malicious network traffic"
>>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>>>
>>
>>
>> Here is some more info from the rule set...
>>
>> I for sure try to find the easiest "no rdr" statement replacement to what
I
> had in 4.6. Maybe a mix of sticky match rules in "match" statements and
"pass"
> statements with "rdr-to" in them will do the trick. However. I try to
replace
> the earlier "no rdr" with a negated match rule. It seem I miss something
here
> or it's simply not possible to achieve anymore. At least it seems to be a
> problem to replace the earlier "rdr" rules from 4.6 with just drop in
"match"
> statments. Am I *forced* to mix also pass rules with "rdr-to" in them?????
> Below is the spec of the problem.... Switch directly to 4.7 break FTP if I
> cannot easily solve the "no rdr" problem
>>
>>
>>
>>
>> ---#--- This is what I have in rc.conf.local ---#---
>> r...@xanadu:~#more /etc/rc.conf.local
>> named_flags="" # for normal use: ""
>> pf=YES # Packet filter / NAT
>> sshd_flags="-4" # for normal use: ""
>> dhcpd_flags="vlan2" # for normal use: ""
>> ntpd_flags="" # for normal use: ""
>> ftpproxy_flags="-R 192.168.2.35 -p 21 -b 82.82.222.222" # for
normal
> use: ""
>>
>>
>>
>> ---#--- For the case relevant stuff cut out from pf.conf in 4.6....
---#---
>>
>> nat-anchor "ftp-proxy/*"
>> nat on $INTERNET_INT inet from $DMZ1_ORIGO -> $INTERNET_INT_IP2
>> rdr-anchor "ftp-proxy/*"
>>
>> nat on $INTERNET_INT from $DMZ1_ORIGO to any -> $INTERNET_INT_IP2
>> nat on $INTERNET_INT from $LAN_INT:network to any -> $INTERNET_INT_IP1
>> nat on $INTERNET_INT from $DMZ1_INT:network to any -> $INTERNET_INT_IP1
>>
>> no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
>> rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 ->
> $DMZ1_ORIGO
>>
>> pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep
> state
>>
>> pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any
flags
> S/SA keep state
>> pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to
> any keep state
>>
>> pass in log quick on $INTERNET_INT inet proto tcp from any to
$DMZ1_ORIGO
> port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
> 70, max-src-conn 70, max-src-conn-rate 20/30, overload <bad_hosts> flush
> global)
>>
>>
>> ---#--- I translated this to the following in 4.7---#---
>>
>> anchor "ftp-proxy/*"
>> match out on $INTERNET_INT inet from $DMZ1_ORIGO nat-to $INTERNET_INT_IP2
>> #rdr-anchor "ftp-proxy/*"
>>
>> match out on $INTERNET_INT from $DMZ1_ORIGO to any nat-to
$INTERNET_INT_IP2
>> match out on $INTERNET_INT from $LAN_INT:network to any nat-to
> $INTERNET_INT_IP1
>> match out on $INTERNET_INT from $DMZ1_INT:network to any nat-to
> $INTERNET_INT_IP1
>>
>> # no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
>> # >>>>>>PROBLEM TO TRANSLATE THE ABOVE ROW<<<<<<
>>
>> # rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 ->
> $DMZ1_ORIGO
>> match in on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2
> rdr-to $DMZ1_ORIGO
>>
>> pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep
> state
>>
>> pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any
flags
> S/SA keep state
>> pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to
> any keep state
>>
>> pass in log quick on $INTERNET_INT inet proto tcp from any to
$DMZ1_ORIGO
> port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
> 70, max-src-conn 70, max-src-conn-rate 20/30, overload <bad_hosts> flush
> global)
>>
>>
>>
>>
>> Everything works except the FTP service on my RFC1918 DMZ.
>>
>>
>> Suggestions very much appreciated.
>> (Using just match rules instead of pass rules with rdr-to if possible....)
>>
>>
>> /Peo
>> --
>> GPG keyID: 5231C0C4
>> GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
>> GPG key:
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
>>
>
>
> Sorry... Forgot that I had this rule as well that is involved...
>
> pass in log quick on $INTERNET_INT inet proto tcp from any to
> $INTERNET_INT_IP2 port { 21 } flags S/SA keep state (max-src-nodes 50,
> max-src-states 70, max-s
> rc-conn 70, max-src-conn-rate 20/30, overload <bad_hosts> flush global)
>
>
> That is the reason I don't want a "no-rdr" for port 21 to INTERNET_IP2 so
it
> terminates in the firewall with the ftp-proxy and not in the DMZ server.
>
>
> /Peo
> --
> GPG keyID: 5231C0C4
> GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
> GPG key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
>
Well....
It seems this in 4.6:
no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 ->
$DMZ1_ORIGO
Could be replaced by the following in 4.7:
match in on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 port
21<>21 rdr-to $DMZ1_ORIGO
/Peo
