From owner-freebsd-pf@FreeBSD.ORG Sat Nov 15 17:33:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 227C7106568C for ; Sat, 15 Nov 2008 17:33:14 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from imlil.netoyen.net (imlil.netoyen.net [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id DA8808FC13 for ; Sat, 15 Nov 2008 17:33:13 +0000 (UTC) (envelope-from mouss@netoyen.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=netoyen.net; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received: x-virus-scanned; s=msa; t=1226769432; bh=qfXraq5jdl3gus760FMCuXq aGuLPJnvIBdWDP4xaEDk=; b=Sx73WuLJVEj3eV0N6sitXOO08soRhjW3nkkCdrF KvjJ92DeFdm37Gcnd5T9Zj4OwalBMnD9rxjBZmBmjnFX2APZJNYs9yfOjbftRInh j8J3ZF+QTjDJlMQ5J744CVyLn7ZTVK4BPKEkhAt/adJt4w4Em+AIWMR9YbWI2QQh lgvY= X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by smtp.netoyen.net (Postfix) with ESMTPSA id 2C12BE54896 for ; Sat, 15 Nov 2008 18:17:12 +0100 (CET) Message-ID: <491F03F6.4020307@netoyen.net> Date: Sat, 15 Nov 2008 18:16:38 +0100 From: mouss User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <49106B68.2060007@cyanide-studio.com> In-Reply-To: <49106B68.2060007@cyanide-studio.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: can't add a port forwarding X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2008 17:33:14 -0000 Bastien Semene wrote: > Hi everyone, > > I'm currently facing a weird problem. I have a pf box acting as a > gateway for some services and want to add a port forwarding for https. > > So I added the following rule : > > rdr pass on $ext_if proto tcp from any to any port 443 -> $atlas_ip > //variables are correct since I have a similar rule for port 80. > > The "pfctl -s nat" shows this : > > nat on bge0 inet from 10.1.8.1 to any -> "external_interface_ip" > rdr pass on bge0 inet proto tcp from any to any port = http -> 10.1.8.1 > rdr pass on bge0 inet proto tcp from any to any port = https -> 10.1.8.1 > > An Nmap from outside shows this : > > # nmap -P0 -p80,443,17900 "external_interface_ip" > > Starting Nmap 4.20 ( http://insecure.org ) at 2008-11-04 16:22 CET > Interesting ports on "external_interface_ip": > PORT STATE SERVICE > 80/tcp open http > 443/tcp closed https > 17900/tcp filtered unknown > maybe you allow port 80 but not 443 in your pf rules? > I tried reloading pf rules with "pfctl -F all -f /etc/pf.conf", > restarting the machine, but nothing changed. The securelevel is also at > -1, so pf should take the changes into account. > And of course the destination https server receives nothing on https port. > http and preconfigured nat/forwards works perfectly. > > I tried to comment the "scrub in all" option, but because the rdr line > doesn't seem to be affected, I'm not sure this one is. > > If someone has an idea or direction to follow I take every piece of > thought. > Thanks all. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"