From owner-freebsd-pf@FreeBSD.ORG Tue Nov 4 15:56:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 670441065689 for ; Tue, 4 Nov 2008 15:56:39 +0000 (UTC) (envelope-from bsemene@cyanide-studio.com) Received: from relay.cyanide-studio.com (ns23199.ovh.net [91.121.7.6]) by mx1.freebsd.org (Postfix) with ESMTP id 1FA7D8FC17 for ; Tue, 4 Nov 2008 15:56:39 +0000 (UTC) (envelope-from bsemene@cyanide-studio.com) Received: from mail.cyanide-studio.com (LAubervilliers-153-52-12-153.w217-128.abo.wanadoo.fr [217.128.107.153]) by relay.cyanide-studio.com (Postfix) with ESMTP id 688C5965ABC for ; Tue, 4 Nov 2008 15:34:01 +0000 (UTC) Received: from localhost (unknown [10.1.8.14]) by mail.cyanide-studio.com (Postfix) with ESMTP id B503D17BDC13 for ; Tue, 4 Nov 2008 16:34:00 +0100 (CET) Received: from mail.cyanide-studio.com ([10.1.8.3]) by localhost (mailguard.cyanide-studio.com [10.1.8.14]) (amavisd-maia, port 10024) with ESMTP id 65178-02 for ; Tue, 4 Nov 2008 16:34:00 +0100 (CET) Received: from [10.1.8.220] (unknown [10.1.8.220]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bsemene@cyanide-studio.com) by mail.cyanide-studio.com (Postfix) with ESMTP id 8F62817BDC12 for ; Tue, 4 Nov 2008 16:34:00 +0100 (CET) Message-ID: <49106B68.2060007@cyanide-studio.com> Date: Tue, 04 Nov 2008 16:34:00 +0100 From: Bastien Semene User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: can't add a port forwarding X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2008 15:56:39 -0000 Hi everyone, I'm currently facing a weird problem. I have a pf box acting as a gateway for some services and want to add a port forwarding for https. So I added the following rule : rdr pass on $ext_if proto tcp from any to any port 443 -> $atlas_ip //variables are correct since I have a similar rule for port 80. The "pfctl -s nat" shows this : nat on bge0 inet from 10.1.8.1 to any -> "external_interface_ip" rdr pass on bge0 inet proto tcp from any to any port = http -> 10.1.8.1 rdr pass on bge0 inet proto tcp from any to any port = https -> 10.1.8.1 An Nmap from outside shows this : # nmap -P0 -p80,443,17900 "external_interface_ip" Starting Nmap 4.20 ( http://insecure.org ) at 2008-11-04 16:22 CET Interesting ports on "external_interface_ip": PORT STATE SERVICE 80/tcp open http 443/tcp closed https 17900/tcp filtered unknown I tried reloading pf rules with "pfctl -F all -f /etc/pf.conf", restarting the machine, but nothing changed. The securelevel is also at -1, so pf should take the changes into account. And of course the destination https server receives nothing on https port. http and preconfigured nat/forwards works perfectly. I tried to comment the "scrub in all" option, but because the rdr line doesn't seem to be affected, I'm not sure this one is. If someone has an idea or direction to follow I take every piece of thought. Thanks all.