Date: Wed, 16 Oct 2019 08:36:21 -0600 From: The Doctor <doctor@doctor.nl2k.ab.ca> To: freebsd-pf@freebsd.ord, freebsd-questions@freebsd.org Subject: Port 80 to port 8443 redirection question Message-ID: <20191016143621.GA18824@doctor.nl2k.ab.ca>
next in thread | raw e-mail | index | archive | help
This has been bugging me for some time.
Given
## Set your public interface ##
ext_if="igb0"
##Internal bridge for virtually hosted machines
int_if="bridge0"
## Set your server public IP address ##
ext_if_ip="192.168.81.1"
int_if_ip="192.168.81.60"
#Proxy for FTP
proxy="127.0.0.1"
proxyport="8021"
#All virtal machines go here!
sl="192.168.81.52"
fedora="192.168.81.53"
centos="192.168.81.54"
debian="192.168.81.55"
ubuntu="192.168.81.57"
win2019="192.168.81.58"
kali="192.168.81.59"
oracle="192.168.81.61"
#In case you need a whole group
vhosts =" { 192.168.81.52, 192.168.81.53, 192.168.81.54, \
192.168.81.55 , 192.168.81.57, 192.168.81.58, \
192.168.81.59,192.168.81.61 }"
## Set and drop these IP ranges on public interface and any other troublemakers ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4, 185.162.235.0/24, \
87.145.0.0/16 }"
## Set http(80)/https (443) port here and other ports that need accessing ##
webports = "{http, https,8443,119,561,110,143,993,995,20,21,23,79,25,465,587,53,513,783,3310,4610,3128,69,10000,20000,43,63,4321,8000:8100,5900:5999,49150:61000}"
# Radius
radiusports = "{1645,1646,1812,1813 }"
## enable these services ##
int_tcp_services = "{domain, ntp, smtp,nntp, smtps,submission, www, https,20, ftp, ssh,110,143,636,993,995,443,561,783,3310,7500,8443,10000,20000,43,63,4321,4610,3128,8000:8100,5900:5999,23,49150:61000}"
int_udp_services = "{domain, ntp,69}"
int_radius_services = "{1645,1646,1812,1813 }"
## Skip loop back interface - Skip all PF processing on interface bridge and virtual hosts ##
set skip on lo
set skip on bridge0
set skip on tap0
set skip on tap1
set skip on tap2
set skip on tap3
set skip on tap4
set skip on tap5
set skip on tap6
set skip on tap7
set skip on tap8
set skip on tap9
set skip on tap10
set skip on tap11
set skip on tap12
set skip on tap13
set skip on tap14
set skip on tap15
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if
set fingerprints "/etc/pf.os"
# Deal with attacks based on incorrect handling of packet fragments
scrub in all
################### TRANSLATION #############
#### NAT and RDR start
nat on $ext_if from $int_if to any -> ($ext_if)
nat on $int_if from $sl to any -> ($int_if)
nat on $int_if from $fedora to any -> ($int_if)
nat on $int_if from $centos to any -> ($int_if)
nat on $int_if from $debian to any -> ($int_if)
nat on $int_if from $ubuntu to any -> ($int_if)
nat on $int_if from $win2019 to any -> ($int_if)
nat on $int_if from $kali to any -> ($int_if)
nat on $int_if from $oracle to any -> ($int_if)
## PLease note for virtual machines you are passing the packects via the
## Virtual switch so treat as michine (tap) into switch (Bridge) into
## your macine acting as the host (exit)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
## Set default policy ##
block return in log all
block out all
# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 20
pass out proto tcp from $proxy to any port 21
pass out on $ext_if inet proto {tcp, udp} from $ext_if to any port ftp:ftp-proxy
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port 20
pass in on egress proto tcp to port > 49151
pass out quick on egress inet proto tcp from any to 192.168.81.1 flags S/SA
pass out quick on egress inet proto tcp from any to 192.168.81.3 flags S/SA
#set up virtual switch
pass in quick on bridge0 all
pass quick on tap0 all
pass quick on tap1 all
pass quick on tap2 all
pass quick on tap3 all
pass quick on tap4 all
pass quick on tap5 all
pass quick on tap6 all
pass quick on tap7 all
pass quick on tap8 all
pass quick on tap9 all
pass quick on tap10 all
pass quick on tap11 all
pass quick on tap12 all
pass quick on tap13 all
pass quick on tap14 all
pass quick on tap15 all
# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block drop in quick on $vhosts from $martians to any
block drop out quick on $vhosts from any to $martians
## Blocking spoofed packets
antispoof quick for $ext_if
antispoof quick for $vhosts
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from 192.168.81.0/24 to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
## Use the following rule to enable ssh for ALL users from any IP address #
## pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
pass in inet proto tcp to $ext_if_ip port 22
pass in inet proto tcp to $vhosts port 22
# Allow Ping-Pong stuff. Be a good sysadmin
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types keep state
# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $int_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $vhosts inet proto udp from any to any port 33433 >< 33626 keep state
# All access to our Nginx/Apache/Lighttpd Webserver and other ports
pass proto tcp from any to $ext_if port $webports
pass proto udp from any to $ext_if port $webports
pass proto udp from any to $ext_if port $radiusports
pass proto tcp from any to $vhosts port $webports
pass proto udp from any to $vhosts port $webports
# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
pass out quick on $ext_if proto udp to any port $int_radius_services
pass out quick on $vhosts proto tcp to any port $int_tcp_services
pass out quick on $vhosts proto udp to any port $int_udp_services
#For radius make certain for older syatems port 1645 and current 1812
pass in log quick on $ext_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1645 keep state
pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1812 keep state
pass out quick all flags S/SA keep state
# Add custom rules below
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
## I wonder if sshguard works with pf.
I which to rediect 192.168.81.1 port 80 to 192.168.81.1 port 8443 .
How can I do that given the above pf configuration?
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
Canada - Choose Forward on 21 Oct 2019 !
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191016143621.GA18824>