From owner-freebsd-pf@FreeBSD.ORG Fri Jan 28 09:13:04 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F2DE1065694 for ; Fri, 28 Jan 2011 09:13:04 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from lazy.aws-net.org.ua (lazy.aws-net.org.ua [IPv6:2a00:1db0:20::828:140]) by mx1.freebsd.org (Postfix) with ESMTP id E1A7B8FC19 for ; Fri, 28 Jan 2011 09:13:03 +0000 (UTC) Received: from rainbow.vl.net.ua (rainbow.vl.net.ua [188.230.120.215]) (authenticated bits=0) by lazy.aws-net.org.ua (8.14.3/8.14.3) with ESMTP id p0S9CtRl006916 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=OK); Fri, 28 Jan 2011 11:13:02 +0200 (EET) (envelope-from artem@aws-net.org.ua) Message-ID: <4D428897.4030505@aws-net.org.ua> Date: Fri, 28 Jan 2011 11:12:55 +0200 From: Artyom Viklenko Organization: Art&Co. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU; rv:1.9.2.11) Gecko/20101025 Thunderbird/3.1.5 MIME-Version: 1.0 To: andy thomas References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (lazy.aws-net.org.ua [188.230.120.140]); Fri, 28 Jan 2011 11:13:02 +0200 (EET) Cc: freebsd-pf@freebsd.org Subject: Re: PF port forward problem with Sonicwall VPN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 09:13:04 -0000 28.01.2011 10:49, andy thomas пишет: > I'm maintaining some OpenBSD-based firewalls and have been really > stumped with a problem when trying to add a Sonicwall VPN appliance > behind the firewall, and thought I'd ask here for help. > > The Sonicwall device uses SSL on port 443 for it's external VPN traffic > and listens on other ports for internal LAN traffic and it uses a single > network interface for this. On our installation, there is a webmail > server behind the firewall listening on port 443 and the existing PF > rule for this is (abbreviated for clarity): > > ext_if="vr0" > int_if="vr1" > > webmail="192.168.30.14" > > rdr pass log on $ext_if proto tcp from any to $ext_if port 443 -> > $webmail port 443 > > This works fine so as external port 443 is already in use for webmail, I > decided to use external port 444 for the Sonicwall and added these two > extra rules: > > sonicwall="192.168.30.28" > > rdr pass log on $ext_if proto tcp from any to $ext_if port 444 -> > $sonicwall port 443 > > However, the Sonicwall cannot be accessed from the external port 444 > although it can be accessed internall on port 443 of course. I have Check your filtering rules on internal interface, may be you have 'pass' for trafic to webmail host and doesn't for sonicwall? > tested this rule by changing it to point to the webmail server like this: > > rdr pass log on $ext_if proto tcp from any to $ext_if port 444 -> > $webmail port 443 > > and this works fine as I can access webmail on port 444. But why can't I > access the Sonicwall on port 444? Does anyone know if the Sonicwall uses > additional ports or has anyone got this device to with with a PF-based > firewall? > > Thanks in advance for any suggestions, > > Andy > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem artem@viklenko.net | JID: artem@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org