login
Login / Register
Header Space

 
 

Home » Mailing list archives » openbsd-misc » 2007 » August » 21

pf rdr pass query

Score:
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: mgb <lusermgb@...>
To: <misc@...>
Subject: pf rdr pass query
Date: Tuesday, August 21, 2007 - 8:10 am

List,

I'm running 4.1 GENERIC and am having trouble with redirecting traffic.
my openbsd box has a static public address on fxp0 and an 10/8 address 
on fxp1. there is a box behind openbsd with 10.0.0.250 and is listening 
on tcp/9999. any connections for ext_ip on tcp/9999 needs redirecting to 
    10.0.0.250 on the same tcp port.

the PF FAQ states...
"The only exception to this rule is when the pass keyword is used within 
the rdr rule.
In this case, the redirected packets will pass statefully right through 
the filtering engine:
the filter rules won't be evaluated against these packets"

However 10.0.0.250 is not seeing any traffic when I attempt to connect 
to ext_ip tcp port 9999 from an public-external host, the openbsd box 
sends a icmp host (ext_ip) unreachable.

i am sure i'm doing something silly, any ideas?

Here is my pf.conf

#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="fxp0"

int_if="fxp1"

# external IP of this box
ext_ip="<IP>"

# nameservers to use from ext_if
ext_ns="{ <dns1>, <dns2> }"

# the range for clients
nat_ip="10.0.0.254/8"

# ports allowed
ext_pt="{ 80, 443, 9001, 9030 }"

# service pair
int_nb="10.0.0.250"
prt_nb="9999"

set skip on lo
set block-policy drop
set loginterface $ext_if

scrub all

nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp from any to $ext_ip port $prt_nb -> $int_nb

block in quick inet6 all
block all
anchor "ftp-proxy/*"
pass out log quick on $ext_if inet proto udp from ($ext_if) to $ext_ns 
port 53 keep state
pass out quick on $ext_if inet proto tcp from ($ext_if) to any modulate 
state
pass on $int_if inet proto tcp from $nat_ip to $int_if port 8123 keep state
pass on $int_if inet proto udp from $nat_ip to $ext_ns port 53 keep state
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
pf rdr pass query, mgb, (Tue Aug 21, 8:10 am)
Re: pf rdr pass query, mgb, (Tue Aug 21, 8:22 am)

Mail archive search
Enter your search terms.
Optionally limit your search to a specific mailing list.
advanced
Recent Tags
more tags
Colocation donated by:
Who's online
There are currently 3 users and 980 guests online.

Online users

Syndicate
Syndicate content
© 2007 KernelTrap.  |  Powered by Drupal.  |  Legal statement.
speck-geostationary