help with pf redirection (openbsd 4.6)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

help with pf redirection (openbsd 4.6)

N. Arley Dealey
Help! I'm obviously overlooking something really obvious but I just
can't see it.

I'm building my first PF-based router/firewall using OpenBSD 4.6. For
now, what I
need it to do is pretty simple:

     1. Allow all outbound traffic via NAT and allow all inbound responses.
     2. Allow only ssh and auth to the external interface.
     3. Redirect to ports (2000 & 4200) to two different hosts on the
internal net.

I've created a minimal pf.conf file that I thought would accomplish
this. Goals
1 & 2 are working fine (I can connect outbound from hosts on the
internal net
and I can connect to the firewall inbound via ssh) but the redirections
are not
going anywhere.

I don't know what to do next other than enable logging, fire up tcpdump
and try
to see what is actually happening. But I thought I'd ask first if
anybody more
familiar with pf can see something fundamentally flawed with my config.

Here is the pf.conf (slightly edited to obscure the actual IPs)
# pf.conf: agilulf.det2.gw00

#################################################################################
# MACROS
#--------------------------------------------------------------------------------

# interfaces
ifExt = "fxp0"    # 66.b.c.118
ifInt = "fxp1"    # 192.x.y.2

################################################################################
# OPTIONS
#--------------------------------------------------------------------------------

set block-policy return
set loginterface $ifExt
set skip on lo

################################################################################
# NAT & Redirection
#--------------------------------------------------------------------------------

nat on $ifExt from !$ifExt -> $ifExt:0

rdr pass on $ifExt proto tcp from any to any port 4200 -> 192.x.y.40
port 4200
rdr pass on $ifExt proto tcp from any to any port 2000 -> 192.x.y.21
port 2000

#################################################################################
# FILTER RULES
#--------------------------------------------------------------------------------

block in
pass out keep state

# internal clients
pass in quick on $ifInt

# external
pass in inet proto icmp all icmp-type echoreq
pass in on $ifExt inet proto tcp from any to $ifExt port { ssh, auth }

###EoF###


And here is the result of loading pf.conf
     # pfctl -vf /etc/pf.conf
     ifExt = "fxp0"
     ifInt = "fxp1"
     set block-policy return
     set loginterface fxp0
     set skip on { lo }
     nat on fxp0 inet from ! 66.b.c.118 to any -> 66.b.c.118
     rdr pass on fxp0 inet proto tcp from any to any port = 4200 ->
192.x.y.40 port 4200
     rdr pass on fxp0 inet proto tcp from any to any port = 2000 ->
192.x.y.21 port 2000
     block return in all
     pass out all flags S/SA keep state
     pass in quick on fxp1 all flags S/SA keep state
     pass in on fxp0 inet proto tcp from any to 66.b.c.118 port = ssh
flags S/SA keep state
     pass in on fxp0 inet proto tcp from any to 66.b.c.118 port = auth
flags S/SA keep state
     pass in inet proto icmp all icmp-type echoreq keep state
     #

 From the firewall box, I can ping and traceroute successfully to the
two destination
hosts for the redirections and I can connect to the destination ports of
the redirections.
I just can't make the redirected connections via the external interface
of the firewall.

Any help would be greatly appreciated.

Reply | Threaded
Open this post in threaded view
|

Re: help with pf redirection (openbsd 4.6)

matteo filippetto
2010/3/17 N. Arley Dealey <[hidden email]>

> Help! I'm obviously overlooking something really obvious but I just can't
> see it.
>
> I'm building my first PF-based router/firewall using OpenBSD 4.6. For now,
> what I
> need it to do is pretty simple:
>
>    1. Allow all outbound traffic via NAT and allow all inbound responses.
>    2. Allow only ssh and auth to the external interface.
>    3. Redirect to ports (2000 & 4200) to two different hosts on the
> internal net.
>
> I've created a minimal pf.conf file that I thought would accomplish this.
> Goals
> 1 & 2 are working fine (I can connect outbound from hosts on the internal
> net
> and I can connect to the firewall inbound via ssh) but the redirections are
> not
> going anywhere.
>
> I don't know what to do next other than enable logging, fire up tcpdump and
> try
> to see what is actually happening. But I thought I'd ask first if anybody
> more
> familiar with pf can see something fundamentally flawed with my config.
>
> Here is the pf.conf (slightly edited to obscure the actual IPs)
> # pf.conf: agilulf.det2.gw00
>
>
> #################################################################################
> # MACROS
>
> #--------------------------------------------------------------------------------
>
> # interfaces
> ifExt = "fxp0"    # 66.b.c.118
> ifInt = "fxp1"    # 192.x.y.2
>
>
> ################################################################################
> # OPTIONS
>
> #--------------------------------------------------------------------------------
>
> set block-policy return
> set loginterface $ifExt
> set skip on lo
>
>
> ################################################################################
> # NAT & Redirection
>
> #--------------------------------------------------------------------------------
>
> nat on $ifExt from !$ifExt -> $ifExt:0
>
> rdr pass on $ifExt proto tcp from any to any port 4200 -> 192.x.y.40 port
> 4200
> rdr pass on $ifExt proto tcp from any to any port 2000 -> 192.x.y.21 port
> 2000
>
>
> #################################################################################
> # FILTER RULES
>
> #--------------------------------------------------------------------------------
>
> block in
> pass out keep state
>
> # internal clients
> pass in quick on $ifInt
>
> # external
> pass in inet proto icmp all icmp-type echoreq
> pass in on $ifExt inet proto tcp from any to $ifExt port { ssh, auth }
>
> ###EoF###
>
>
> And here is the result of loading pf.conf
>    # pfctl -vf /etc/pf.conf
>    ifExt = "fxp0"
>    ifInt = "fxp1"
>    set block-policy return
>    set loginterface fxp0
>    set skip on { lo }
>    nat on fxp0 inet from ! 66.b.c.118 to any -> 66.b.c.118
>    rdr pass on fxp0 inet proto tcp from any to any port = 4200 ->
> 192.x.y.40 port 4200
>    rdr pass on fxp0 inet proto tcp from any to any port = 2000 ->
> 192.x.y.21 port 2000
>    block return in all
>    pass out all flags S/SA keep state
>    pass in quick on fxp1 all flags S/SA keep state
>    pass in on fxp0 inet proto tcp from any to 66.b.c.118 port = ssh flags
> S/SA keep state
>    pass in on fxp0 inet proto tcp from any to 66.b.c.118 port = auth flags
> S/SA keep state
>    pass in inet proto icmp all icmp-type echoreq keep state
>    #
>
> From the firewall box, I can ping and traceroute successfully to the two
> destination
> hosts for the redirections and I can connect to the destination ports of
> the redirections.
> I just can't make the redirected connections via the external interface of
> the firewall.
>
> Any help would be greatly appreciated.
>
>
Hi,

maybe you forget a pass rule to allow traffic on port 2000 and 4200?

Let me know any news,
best regards.

--
Matteo Filippetto