[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
3.1 pf question
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: 3.1 pf question
- From: coldiso_(_at_)_houx_(_dot_)_org
- Date: Mon, 8 Jul 2002 18:01:54 -0400 (EDT)
Hi Everyone!
I have a interesting problem that I am able to duplicate on two different
openbsd machines. I have pf and nat configured to stop all traffic on
$ext_if except what is to be passed quickly or requested by a internal
machine. It is my understanding from the documents that "quick" this rule
is considered the last matching rule, and evaluation of subsequent rules
is skipped.
My issue:
I want to forward port say 3022 to another machine behind the
firewall to port 22. This is my config pf and nat respectivley.
<pf_snip>
pass in log on $ext_if inet proto tcp from any to any port = 3022 flags S/SA
</pf_snip>
<nat_snip>
rdr on $ext_if proto tcp from any to any port 3022 -> 192.168.1.191 port 22
</nat_snip>
Where the oddness happens is I can't conect to port 3022 unless I add this
statement to pf.conf
pass in log quick on $ext_if inet proto tcp from any to any port = 22 flags S/SA
Then i am able to connect to port 3022 fine but I am then able to connect
on 22 and I don't want this. I had the same issue when trying to redirect
web traffic on port say 8080 to 80 internally I had to open port 80 on the
$ext_if to get 8080 traffic to flow.
I have worked with openbsd since 2.8 and have enjoyed 3.0 and 3.1 and
think pf rules!!! but this has me really confused and I would like some
help/ suggestions from the gallery. Has anyone else noticed this or am I
just all messed up :P
I have pasted below my entire config for pf and nat all help is greatly
appriceated
# pfctl -s all
@0 scrub in on rl0 all
@1 block out on rl0 all
@2 block in on rl0 all
@3 block return-rst out on rl0 proto tcp all
@4 block return-rst in on rl0 proto tcp all
@5 block return-icmp out on rl0 proto udp all
@6 block return-icmp in on rl0 proto udp all
@7 block in from no-route to any
@8 block in quick on rl0 inet from any to 255.255.255.255/32
@9 block in log quick on rl0 inet from 255.255.255.255/32 to any
@10 block in log quick on rl0 inet from 192.168.0.0/16 to any
@11 block in log quick on rl0 inet from 172.16.0.0/12 to any
@12 block in log quick on rl0 inet from 10.0.0.0/8 to any
@13 pass out log on rl0 inet proto icmp all icmp-type echoreq code 0 keep state
@14 block in log on rl0 inet proto icmp all icmp-type echoreq code 0 keep state
@15 pass out on rl0 proto udp all flags S/A keep state
@16 pass out on rl0 proto tcp all modulate state
@17 pass in log on rl0 inet proto tcp from any to any port = smtp flags S/SA
@18 pass in log on rl0 inet proto tcp from 216.255.50.8/32 to any port = ssh flags S/SA
@19 pass in log quick on rl0 inet proto tcp from 209.209.45.32/32 to any port = ssh flags S/SA
@20 pass in log quick on rl0 inet proto tcp from 216.255.50.8/32 to any port = 3022 flags S/SA
@21 pass in log quick on rl0 inet proto tcp from 216.255.50.23/32 to any port = 3022 flags S/SA
@22 pass in log quick on rl0 inet proto tcp from 63.121.61.122/32 to any port = 3022 flags S/SA
nat on rl0 from 192.168.1.1/24 to any -> 24.210.153.224
rdr on rl0 proto tcp from any to 24.210.153.224/25 port 25 -> 192.168.1.191 port 25
rdr on rl0 proto tcp from 216.255.50.8/32 to 24.210.153.224/25 port 3022 -> 192.168.1.191 port 22
rdr on rl0 proto tcp from any to any port 3022 -> 192.168.1.191 port 22
rdr on rl0 proto tcp from any to any port 3024 -> 192.168.1.191 port 22
rdr on rl0 proto tcp from any to any port 3000 -> 192.168.1.191 port 80
Status: Enabled Time: 1026164747 Since: 1025742160 Debug: None
Bytes In IPv4: 0 Bytes Out: 0
IPv6: 0 Bytes Out: 0
Inbound Packets IPv4: Passed: 0 Dropped: 0
IPv6: Passed: 0 Dropped: 0
Outbound Packets IPv4: Passed: 0 Dropped: 0
IPv6: Passed: 0 Dropped: 0
States: 4
pf Counters
state searches 132448
state inserts 802
state removals 798
Counters
match 15759
bad-offset 0
fragment 0
short 0
normalize 0
memory 0
Thanks again for all help
Jason Houx
Visit your host, monkey.org