pf and apache

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

pf and apache

Chris M-2
I have pf running on an openbsd box handling port forwarding. All ports
seem to forward ok except for port 80.

Apache is running on a slackware box. I can access apache just fine
internally by using the ip address of that server (192.168.1.70), but if I
access the ip of the openbsd box (192.168.1.60) I just get an error that
the server is not available. It should be forwarding port 80 to the
slackware box.

Here is my pf.conf
-----------------------------
ext_if = "rl0"
int_if = "em0"

icmp_types="echoreq"
set block-policy return
set loginterface egress

set skip on lo
match out on egress inet from !(egress:network) to any nat-to (egress:0)
block in log
pass out log quick
antispoof quick for { lo $int_if }

#################################
#   port forwarding
#################################
pass in on $ext_if proto tcp from any to any port 80 rdr-to 192.168.1.70
port 80
pass in on $int_if proto tcp from any to any port 80 rdr-to 192.168.1.70
port 80
pass in on $ext_if proto tcp from any to any port 6699 rdr-to 192.168.1.60
port 22
pass in on $ext_if proto tcp from any to any port 51413 rdr-to
192.168.1.105 port 51413
pass in on $ext_if proto udp from any to any port 51413 rdr-to
192.168.1.105 port 51413
pass in on $int_if proto udp from any to any port 58846 rdr-to
192.168.1.101 port 6881
pass in on $ext_if proto tcp from any to any port 9000 rdr-to 192.168.1.105
port 81

############################################################
#pass in log (all) inet proto icmp all icmp-type $icmp_types
pass in log (all) on $int_if

Reply | Threaded
Open this post in threaded view
|

Re: pf and apache

Andy Bradford-21
Thus said Matt Morrow on Thu, 28 Feb 2013 23:07:30 -0600:

> Apache is  running on a slackware  box. I can access  apache just fine
> internally by using the ip  address of that server (192.168.1.70), but
> if I  access the ip  of the openbsd box  (192.168.1.60) I just  get an
> error that the  server is not available. It should  be forwarding port
> 80 to the slackware box.

I'm going to  guess from your description that you  are trying to rdr-to
on the same interface. The documentation says:

     Redirections cannot reflect packets  back through the interface
     they arrive on, they can  only be redirected to hosts connected
     to different interfaces or to the firewall itself.

The next section discusses using NAT... might be what you're after.

Andy
--
TAI64 timestamp: 40000000513040c3

Reply | Threaded
Open this post in threaded view
|

Re: pf and apache

Chris M-2
I'm doing the rdr-to on both interfaces. But, I have other ports that rdr
just fine internally, so that's why I think something else is going on. For
example, I have ssh on 6699 and I can access that both internally and
externally.

On Thu, Feb 28, 2013 at 11:46 PM, Andy Bradford
<[hidden email]>wrote:

> Thus said Matt Morrow on Thu, 28 Feb 2013 23:07:30 -0600:
>
> > Apache is  running on a slackware  box. I can access  apache just fine
> > internally by using the ip  address of that server (192.168.1.70), but
> > if I  access the ip  of the openbsd box  (192.168.1.60) I just  get an
> > error that the  server is not available. It should  be forwarding port
> > 80 to the slackware box.
>
> I'm going to  guess from your description that you  are trying to rdr-to
> on the same interface. The documentation says:
>
>      Redirections cannot reflect packets  back through the interface
>      they arrive on, they can  only be redirected to hosts connected
>      to different interfaces or to the firewall itself.
>
> The next section discusses using NAT... might be what you're after.
>
> Andy
> --
> TAI64 timestamp: 40000000513040c3

Reply | Threaded
Open this post in threaded view
|

Re: pf and apache

Beto-3
Andy, We can see the result of running

tcpdump -n -e -ttt -i pflog0 host 192.168.1.70

Thanks


2013/3/1 Matt Morrow <[hidden email]>

> I'm doing the rdr-to on both interfaces. But, I have other ports that rdr
> just fine internally, so that's why I think something else is going on. For
> example, I have ssh on 6699 and I can access that both internally and
> externally.
>
> On Thu, Feb 28, 2013 at 11:46 PM, Andy Bradford
> <[hidden email]>wrote:
>
> > Thus said Matt Morrow on Thu, 28 Feb 2013 23:07:30 -0600:
> >
> > > Apache is  running on a slackware  box. I can access  apache just fine
> > > internally by using the ip  address of that server (192.168.1.70), but
> > > if I  access the ip  of the openbsd box  (192.168.1.60) I just  get an
> > > error that the  server is not available. It should  be forwarding port
> > > 80 to the slackware box.
> >
> > I'm going to  guess from your description that you  are trying to rdr-to
> > on the same interface. The documentation says:
> >
> >      Redirections cannot reflect packets  back through the interface
> >      they arrive on, they can  only be redirected to hosts connected
> >      to different interfaces or to the firewall itself.
> >
> > The next section discusses using NAT... might be what you're after.
> >
> > Andy
> > --
> > TAI64 timestamp: 40000000513040c3

Reply | Threaded
Open this post in threaded view
|

Re: pf and apache

Pawel
In reply to this post by Chris M-2
Hello,

If You are using only redirections, source host will receive SYN-ACK
from 192.168.1.70, but there was not previously SYN to this address, so
source host will send TCP Reset. Solution may be:

pass in on $int_if proto tcp from $int_if:network to any port 80 rdr-to
192.168.1.70
pass out on $int_if proto tcp from $int_if:network to any port 80
received-on $int_if nat-to $int_if


W dniu 01.03.2013 06:07, Matt Morrow pisze:

> I have pf running on an openbsd box handling port forwarding. All ports
> seem to forward ok except for port 80.
>
> Apache is running on a slackware box. I can access apache just fine
> internally by using the ip address of that server (192.168.1.70), but if I
> access the ip of the openbsd box (192.168.1.60) I just get an error that
> the server is not available. It should be forwarding port 80 to the
> slackware box.
>
> Here is my pf.conf
> -----------------------------
> ext_if = "rl0"
> int_if = "em0"
>
> icmp_types="echoreq"
> set block-policy return
> set loginterface egress
>
> set skip on lo
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> block in log
> pass out log quick
> antispoof quick for { lo $int_if }
>
> #################################
> #   port forwarding
> #################################
> pass in on $ext_if proto tcp from any to any port 80 rdr-to 192.168.1.70
> port 80
> pass in on $int_if proto tcp from any to any port 80 rdr-to 192.168.1.70
> port 80
> pass in on $ext_if proto tcp from any to any port 6699 rdr-to 192.168.1.60
> port 22
> pass in on $ext_if proto tcp from any to any port 51413 rdr-to
> 192.168.1.105 port 51413
> pass in on $ext_if proto udp from any to any port 51413 rdr-to
> 192.168.1.105 port 51413
> pass in on $int_if proto udp from any to any port 58846 rdr-to
> 192.168.1.101 port 6881
> pass in on $ext_if proto tcp from any to any port 9000 rdr-to 192.168.1.105
> port 81
>
> ############################################################
> #pass in log (all) inet proto icmp all icmp-type $icmp_types
> pass in log (all) on $int_if

Reply | Threaded
Open this post in threaded view
|

Re: pf and apache

Chris M-2
Thanks everyone. Seems to be working from outside, so for now I'll just go
with the direct ip of the server when I need to access it internally.

On Fri, Mar 1, 2013 at 11:22 AM, Pawel Jurusz <[hidden email]>wrote:

> Hello,
>
> If You are using only redirections, source host will receive SYN-ACK
> from 192.168.1.70, but there was not previously SYN to this address, so
> source host will send TCP Reset. Solution may be:
>
> pass in on $int_if proto tcp from $int_if:network to any port 80 rdr-to
> 192.168.1.70
> pass out on $int_if proto tcp from $int_if:network to any port 80
> received-on $int_if nat-to $int_if
>
>
> W dniu 01.03.2013 06:07, Matt Morrow pisze:
> > I have pf running on an openbsd box handling port forwarding. All ports
> > seem to forward ok except for port 80.
> >
> > Apache is running on a slackware box. I can access apache just fine
> > internally by using the ip address of that server (192.168.1.70), but if
> I
> > access the ip of the openbsd box (192.168.1.60) I just get an error that
> > the server is not available. It should be forwarding port 80 to the
> > slackware box.
> >
> > Here is my pf.conf
> > -----------------------------
> > ext_if = "rl0"
> > int_if = "em0"
> >
> > icmp_types="echoreq"
> > set block-policy return
> > set loginterface egress
> >
> > set skip on lo
> > match out on egress inet from !(egress:network) to any nat-to (egress:0)
> > block in log
> > pass out log quick
> > antispoof quick for { lo $int_if }
> >
> > #################################
> > #   port forwarding
> > #################################
> > pass in on $ext_if proto tcp from any to any port 80 rdr-to 192.168.1.70
> > port 80
> > pass in on $int_if proto tcp from any to any port 80 rdr-to 192.168.1.70
> > port 80
> > pass in on $ext_if proto tcp from any to any port 6699 rdr-to
> 192.168.1.60
> > port 22
> > pass in on $ext_if proto tcp from any to any port 51413 rdr-to
> > 192.168.1.105 port 51413
> > pass in on $ext_if proto udp from any to any port 51413 rdr-to
> > 192.168.1.105 port 51413
> > pass in on $int_if proto udp from any to any port 58846 rdr-to
> > 192.168.1.101 port 6881
> > pass in on $ext_if proto tcp from any to any port 9000 rdr-to
> 192.168.1.105
> > port 81
> >
> > ############################################################
> > #pass in log (all) inet proto icmp all icmp-type $icmp_types
> > pass in log (all) on $int_if