pf rdr-to and access from internal network

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

pf rdr-to and access from internal network

Julian Smith
Hello

I'm using pf's rdr-to to forward external connections on port 5281 to a
machine (called pc5) on my internal network, using this line in pf.conf:

    pass in on egress proto tcp from any to any port 5281 rdr-to pc5 port 5281

This works fine, but i can't get the forwarding to also work from my internal
network.

The FAQ http://www.openbsd.org/faq/pf/rdr.html talks about solutions to this exact
problem; the solution that is entirely in pf.conf is two extra lines like:

    pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to $server
    pass out on $int_if proto tcp to $server port 80 received-on $int_if nat-to $int_if

First question - what is '$int_net' ? I can't find it defined in the
pf.conf man page or FAQ. I've assumed that it's a typo for $int_if, but
please let me know if that's wrong.

So my version of these two lines is:

    pass in on $int_if proto tcp from $int_if to $ext_if port 5281 rdr-to pc5
    pass out on $int_if proto tcp to pc5 port 5281 received-on $int_if nat-to $int_if

But this doesn't work - e.g. trying to telnet to my OpenBSD machine
from a local machine on port 5281, ends up with 'connection refused'.

Apologies if i've missed something obvious. I've read the pf.conf man
page and didn't find any alternative info there.

This is on OpenBSD 5.5.

Thanks for any help,

- Julian

--
http://op59.net

Reply | Threaded
Open this post in threaded view
|

Re: pf rdr-to and access from internal network

Peter Nicolai Mathias Hansteen
Julian Smith <[hidden email]> writes:

>     pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to $server
>     pass out on $int_if proto tcp to $server port 80 received-on $int_if nat-to $int_if
>
> First question - what is '$int_net' ? I can't find it defined in the
> pf.conf man page or FAQ. I've assumed that it's a typo for $int_if, but
> please let me know if that's wrong.

I't just another macro, and could *in principle* stand for anything,
but most likely it's intended to be equivalen to $int_if:network or
the network directly connected to the internal-facing interface.

- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: pf rdr-to and access from internal network

Julian Smith
On 27 Oct 2014 21:29:07 +0100
[hidden email] (Peter N. M. Hansteen) wrote:

> Julian Smith <[hidden email]> writes:
>
> >     pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to $server
> >     pass out on $int_if proto tcp to $server port 80 received-on $int_if nat-to $int_if
> >
> > First question - what is '$int_net' ? I can't find it defined in the
> > pf.conf man page or FAQ. I've assumed that it's a typo for $int_if, but
> > please let me know if that's wrong.
>
> I't just another macro, and could *in principle* stand for anything,
> but most likely it's intended to be equivalen to $int_if:network or
> the network directly connected to the internal-facing interface.

Thanks. I tried replacing it with '$int_if:network' but it didn't
appear to make a difference - i still cannot connect to my server from
inside my LAN.

If anyone can suggest any thing i can do to try to figure out what i've
done wrong, i'd be very grateful.

Thanks,

- Julian

--
http://op59.net

Reply | Threaded
Open this post in threaded view
|

Re: pf rdr-to and access from internal network

trondd
Are you telnetting to the external IP of the server from the internal
client?

Have you enabled logging in pf?  Are the packets blocked or are they passed
by a different rule that doesn't give the expected results?

Tim.

Reply | Threaded
Open this post in threaded view
|

Re: pf rdr-to and access from internal network

Julian Smith
On Tue, 28 Oct 2014 13:40:52 -0400
trondd <[hidden email]> wrote:

> Are you telnetting to the external IP of the server from the internal
> client?

Yes. Actually i've tried using the external IP and the internal IP.
Both have the same result - telnet says 'telnet: Unable to connect to
remote host: Connection refused'.

Telneting from an external machine works fine.

>
> Have you enabled logging in pf?  Are the packets blocked or are they passed
> by a different rule that doesn't give the expected results?

Yes, i've enabled logging and i see various items such as:

[hidden email]:~ > sudo tcpdump -v -i pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
18:51:26.909339 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29686, len 48)
18:51:27.465183 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29765, len 48)
18:51:27.909397 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29841, len 48)

But i don't see anything when the internal
connection is refused.

I enabled logging with:

    sudo ifconfig pflog0 up
    sudo tcpdump -v -i pflog0

For completeness, here's my pf.conf:

========
int_if="sk0"
ext_if="rl0"

tcp_services="{ 22, 80, 113 }"
icmp_types="echoreq"

# options

set block-policy return
set loginterface egress
set skip on lo

# match rules

match out on egress inet from !(egress:network) to any nat-to (egress:0)

# filter rules

block in log
pass out quick

antispoof quick for { lo $int_if }

pass in on egress inet proto tcp from any to (egress) \
    port $tcp_services

pass in inet proto icmp all icmp-type $icmp_types

# Redirect Undo keyserver connections to pc5:
pass in on egress proto tcp from any to any port 5281 rdr-to pc5 port 5281

# Attempting to allow 5281 to forward to pc5 from internal network. But doesn't
# work...
pass in on $int_if proto tcp from $int_if:network to $ext_if port 5281 rdr-to pc5
pass out on $int_if proto tcp to pc5 port 5281 received-on $int_if nat-to $int_if
#pass out on egress proto tcp from any to any port 5281 received-on $int_if nat-to $int_if

pass in on $int_if

# for our ftp server.
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port > 49151

pass in on rl0 proto tcp to port 21
pass in on rl0 proto tcp to port > 49151
========


Many thanks,

- Julian

--
http://op59.net

Reply | Threaded
Open this post in threaded view
|

Re: pf rdr-to and access from internal network

Gilles Cafedjian
On 10/28/2014 07:57 PM, Julian Smith wrote:

> On Tue, 28 Oct 2014 13:40:52 -0400
> trondd <[hidden email]> wrote:
>
>> Are you telnetting to the external IP of the server from the internal
>> client?
> Yes. Actually i've tried using the external IP and the internal IP.
> Both have the same result - telnet says 'telnet: Unable to connect to
> remote host: Connection refused'.
>
> Telneting from an external machine works fine.
>
>> Have you enabled logging in pf?  Are the packets blocked or are they passed
>> by a different rule that doesn't give the expected results?
> Yes, i've enabled logging and i see various items such as:
>
> [hidden email]:~ > sudo tcpdump -v -i pflog0
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> 18:51:26.909339 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29686, len 48)
> 18:51:27.465183 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29765, len 48)
> 18:51:27.909397 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29841, len 48)
>
> But i don't see anything when the internal
> connection is refused.
>
> I enabled logging with:
>
>     sudo ifconfig pflog0 up
>     sudo tcpdump -v -i pflog0
>
> For completeness, here's my pf.conf:
>
> ========
> int_if="sk0"
> ext_if="rl0"
>
> tcp_services="{ 22, 80, 113 }"
> icmp_types="echoreq"
>
> # options
>
> set block-policy return
> set loginterface egress
> set skip on lo
>
> # match rules
>
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> # filter rules
>
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
>     port $tcp_services
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> # Redirect Undo keyserver connections to pc5:
> pass in on egress proto tcp from any to any port 5281 rdr-to pc5 port 5281
>
> # Attempting to allow 5281 to forward to pc5 from internal network. But doesn't
> # work...
> pass in on $int_if proto tcp from $int_if:network to $ext_if port 5281 rdr-to pc5
> pass out on $int_if proto tcp to pc5 port 5281 received-on $int_if nat-to $int_if
> #pass out on egress proto tcp from any to any port 5281 received-on $int_if nat-to $int_if
>
> pass in on $int_if
>
> # for our ftp server.
> pass in on egress proto tcp to port 21
> pass in on egress proto tcp to port > 49151
>
> pass in on rl0 proto tcp to port 21
> pass in on rl0 proto tcp to port > 49151
> ========
>
>
> Many thanks,
>
> - Julian
>

You can try the match keyword to redirect and then pass rule

Didn't try and long time I havn't wrote pf rule, but you can try
something like that:

# change the dest ip of any packet from 5281 to pc5
match in on $ext_if inet proto tcp from port 5281 rdr-to pc5

...

pass on egress inet proto tcp from port 5281

Reply | Threaded
Open this post in threaded view
|

Re: pf rdr-to and access from internal network

Stuart Henderson
In reply to this post by Julian Smith
On 2014-10-28, Julian Smith <[hidden email]> wrote:
> Yes, i've enabled logging and i see various items such as:
>
> [hidden email]:~ > sudo tcpdump -v -i pflog0

Add -e to the tcpdump line, it will show you action (block/match/pass) and
rule numbers, then check the traffic hits the expected rule (pfctl -sr -R ##
displays a rule by number).

Reply | Threaded
Open this post in threaded view
|

Re: pf rdr-to and access from internal network

Julian Smith
In reply to this post by Julian Smith
Thanks for the various responses, and especially to trondd for lots of
email help, which enabled me to fix the problem.

The problem was caused by two faults in my setup, which i thought i'd
describe here, in case anyone else has similar problems.

The main problem was that my /etc/hosts (and so dnsmasq) had hard-coded
entries for my external DNS name, mapping it to an internal
(172.16.x.y) IP address. So pf's rules for redirecting incoming data on
the external IP address were not being used when the connection was
from my internal network. The fix was to simply remove these entries
from /etc/hosts and restart dnsmasq.

The second problem was that my pf.conf had 'pass out quick' (from the
FAQ's example) before the other rules. I had to change this to 'pass
out' so that it didn't override the later 'pass out quick on $int_if
proto tcp to pc5 port 5281 received-on $int_if nat-to $int_if' rule.

Everything's working fine now.

I hope that's useful to someone.

- Julian


On Tue, 28 Oct 2014 18:57:12 +0000
Julian Smith <[hidden email]> wrote:

> On Tue, 28 Oct 2014 13:40:52 -0400
> trondd <[hidden email]> wrote:
>
> > Are you telnetting to the external IP of the server from the internal
> > client?
>
> Yes. Actually i've tried using the external IP and the internal IP.
> Both have the same result - telnet says 'telnet: Unable to connect to
> remote host: Connection refused'.
>
> Telneting from an external machine works fine.
>
> >
> > Have you enabled logging in pf?  Are the packets blocked or are they passed
> > by a different rule that doesn't give the expected results?
>
> Yes, i've enabled logging and i see various items such as:
>
> [hidden email]:~ > sudo tcpdump -v -i pflog0
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> 18:51:26.909339 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29686, len 48)
> 18:51:27.465183 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29765, len 48)
> 18:51:27.909397 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29841, len 48)
>
> But i don't see anything when the internal
> connection is refused.
>
> I enabled logging with:
>
>     sudo ifconfig pflog0 up
>     sudo tcpdump -v -i pflog0
>
> For completeness, here's my pf.conf:
>
> ========
> int_if="sk0"
> ext_if="rl0"
>
> tcp_services="{ 22, 80, 113 }"
> icmp_types="echoreq"
>
> # options
>
> set block-policy return
> set loginterface egress
> set skip on lo
>
> # match rules
>
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> # filter rules
>
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
>     port $tcp_services
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> # Redirect Undo keyserver connections to pc5:
> pass in on egress proto tcp from any to any port 5281 rdr-to pc5 port 5281
>
> # Attempting to allow 5281 to forward to pc5 from internal network. But doesn't
> # work...
> pass in on $int_if proto tcp from $int_if:network to $ext_if port 5281 rdr-to pc5
> pass out on $int_if proto tcp to pc5 port 5281 received-on $int_if nat-to $int_if
> #pass out on egress proto tcp from any to any port 5281 received-on $int_if nat-to $int_if
>
> pass in on $int_if
>
> # for our ftp server.
> pass in on egress proto tcp to port 21
> pass in on egress proto tcp to port > 49151
>
> pass in on rl0 proto tcp to port 21
> pass in on rl0 proto tcp to port > 49151
> ========
>
>
> Many thanks,
>
> - Julian
>



--
http://op59.net