PPPoe + pf + DMZ server

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

PPPoe + pf + DMZ server

George Sitov
Hello!

I use adsl, and I have direct access to internet, and I go though  pf  (rdr)
to dmz windows server (protocol rdp)

Our internet provider change protocol to PPPoE, I make change in pf.cont,

But now rdr did -not work :-(

That's say tcpdump

 

tcpdump -i tun0 port rdp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes

14:36:28.928329 IP xxx..xxx.xxx3472 > yyy.com.rdp: S
1202908173:1202908173(0) win 65535 <mss 1440,nop,wscale 0,nop,nop,sackOK>

14:36:31.883762 IP xxx..xxx.xxx.3472 > yyy.com.rdp: S
1202908173:1202908173(0) win 65535 <mss 1440,nop,wscale 0,nop,nop,sackOK>

14:36:37.819110 IP xxx..xxx.xxx.3472 > yyy.com.rdp: S
1202908173:1202908173(0) win 65535 <mss 1440,nop,wscale 0,nop,nop,sackOK>

 

Tcpdump on internal interface is empty

 

This is my pf.conf

int_if="fxp0"
ext_if="tun0"


internal_net="192.168.0.1/24"
external_addr="111.111.111.111"



rdp_server ="192.168.0.250"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

tcp_services="{domain,smtp,ssh}"
udp_services="{domain}"
icmp_types="echoreq"

# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
scrub in on $ext_if all fragment reassemble min-ttl 20 max-mss 1440
scrub in on $ext_if all no-df
scrub on $ext_if all reassemble tcp
rdr on $ext_if proto tcp from any to any port rdp -> $rdp_server
nat on $ext_if from $internal_net to any -> ($ext_if)

#block all
pass all

pass quick on lo all

antispoof quick for $int_if inet

# PORT SCANNERS FOR OS DETECTING
block in quick proto tcp from any to $external_addr flags SF/SFRA
block in quick proto tcp from any to $external_addr flags SFUP/SFRAU
block in quick proto tcp from any to $external_addr flags FPU/SFRAUP

block in quick proto tcp from any to $external_addr flags F/SFRA

block in quick proto tcp from any to $external_addr flags U/SFRAU
block in quick proto tcp from any to $external_addr flags P/P

#3.1 don't allow anyone to spoof non-routeble adresses
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass out all

pass in on $int_if from $internal_net to any keep state
pass out on $int_if from any to $internal_net keep state

#Enable incoming keep state trafic

pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA modulate state

pass in on $ext_if proto udp from any to ($ext_if) \
port $udp_services

pass in on $ext_if proto tcp from any to $rdp_server port rdp \
flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

# Allow to outgoing traffic to inet
pass out on $ext_if proto tcp all flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state




This is mistake of pf firewall ?