Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 13 May 2012 17:25:18 +0300
From:      orpheus <eugenyuk@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   rdr to 127.0.0.1 doesn't work
Message-ID:  <CAMwX9e8k5_Xx1ZapseE2c=n2aoaYT5FfGeVQr_RsWqp2YdQh5Q@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hello, guys!

I am trying to configure redirection to 127.0.0.1 port 8025 (spamd service)
in pf but with no luck.

System:
FreeBSD 8.2-RELEASE amd 64

root ~ # sockstat -l | grep 8025
_spamd   obspamd    32926 4  tcp4   127.0.0.1:8025        *:*
_spamd   obspamd    32923 4  tcp4   127.0.0.1:8025        *:*
_spamd   obspamd    32922 4  tcp4   127.0.0.1:8025        *:*

root ~ # ifconfig
igb0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>
        ether 00:25:90:09:01:b2
        media: Ethernet autoselect
        status: no carrier
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>
        ether 00:25:90:09:01:b3
        inet 1.1.1.2 netmask 0xffffff00 broadcast 1.1.1.255
        inet 1.1.1.3 netmask 0xffffffff broadcast 1.1.1.3
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33152

This is my /etc/pf.conf:
===
ext_if = "igb1"
tcp_services="{ 21, 25, 80, 110, 143, 443, 993, 995, 1178, 2224, 2222, 5666
}"
udp_services="{ 53 }"
icmp_types="{ echoreq, unreach }"

table <firewall> const { self }

set skip on lo0

rdr on $ext_if inet proto tcp from any to $ext_if port 25 -> 127.0.0.1 port
8025

block log all
pass in  log inet proto tcp from any     to 127.0.0.1 port 8025
pass in log on $ext_if inet proto tcp from any to $ext_if port 2224 keep
state (max-src-conn 10, max-src-conn-rate 5/60, overload <hammering> flush)

pass in log quick on $ext_if proto tcp from any to <firewall> port www
flags S/SA synproxy state
pass in log on $ext_if proto tcp from any to <firewall> port $tcp_services
flags S/SA synproxy state
pass in log on $ext_if proto { tcp, udp } from any to <firewall> port
$udp_services keep state
pass in log on $ext_if inet proto icmp all icmp-type $icmp_types keep state
pass in log quick on $ext_if proto tcp from any to any port 21 flags S/SA
keep state
pass out log on $ext_if proto tcp all modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp } all keep state

pass in  log on lo0     inet proto tcp from any     to 127.0.0.1 port 8025

pass in  log on $ext_if inet proto tcp from any     to $ext_if   port smtp
pass out log on $ext_if      proto tcp              to           port smtp
===

Then i am connecting to 127.0.0.1 from localhost:
root ~ # telnet 127.0.0.1 8025
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 m

And from remte host to my server to port 25:
[root@remoteunixadmin] ~# telnet 212.26.132.2 25
Trying 212.26.132.2...

Can't to connect.

Checking simultaneously pflogs:
root ~ # tcpdump -eni pflog0 dst port 8025
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
bytes
17:19:39.787682 rule 2/0(match): pass in on igb1: 46.16.229.18.33722 >
127.0.0.1.8025:  tcp 28 [bad hdr length 0 - too short, < 20]
17:19:40.877001 rule 2/0(match): pass in on igb1: 112.234.161.49.26795 >
127.0.0.1.8025: [|tcp]
17:19:41.163942 rule 2/0(match): pass in on igb1: 117.241.70.9.4183 >
127.0.0.1.8025: [|tcp]
17:19:41.366829 rule 2/0(match): pass in on igb1: 117.244.3.240.63272 >
127.0.0.1.8025:  tcp 28 [bad hdr length 0 - too short, < 20]
17:19:41.629751 rule 2/0(match): pass in on igb1: 113.162.244.56.3196 >
127.0.0.1.8025: [|tcp]
17:19:42.128182 rule 2/0(match): pass in on igb1: 123.213.32.15.2554 >
127.0.0.1.8025: [|tcp]
17:19:42.387051 rule 2/0(match): pass in on igb1: 211.177.83.30.1836 >
127.0.0.1.8025:  tcp 32 [bad hdr length 0 - too short, < 20]
^C
7 packets captured
67 packets received by filter
0 packets dropped by kernel

So, seems like packets are redirecting but connection doesn't get to 8025
service, because spamd doesn't answer.
Actually this applies not only to spamd but to any service that listens on
127.0.0.1. I've tried to bind service on my external interface and then
redirection worked like a charm.
Please assist what's the problem?

big thanks!

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMwX9e8k5_Xx1ZapseE2c=n2aoaYT5FfGeVQr_RsWqp2YdQh5Q>