From owner-freebsd-pf@FreeBSD.ORG Wed Feb 1 15:56:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C7D816A422 for ; Wed, 1 Feb 2006 15:56:53 +0000 (GMT) (envelope-from keith@barkinglizards.com) Received: from pluto.phpwebhosting.com (pluto.phpwebhosting.com [69.0.209.128]) by mx1.FreeBSD.org (Postfix) with SMTP id E7B2343D58 for ; Wed, 1 Feb 2006 15:56:47 +0000 (GMT) (envelope-from keith@barkinglizards.com) Received: (qmail 29619 invoked from network); 1 Feb 2006 15:56:43 -0000 Received: from unknown (HELO Stile) (keith%barkinglizards.com@209.117.233.18) by pluto.phpwebhosting.com with SMTP; Wed, 01 Feb 2006 10:56:43 -0500 From: "Keith Bottner" To: Date: Wed, 1 Feb 2006 09:58:45 -0600 Organization: Barking Lizards Technologies Message-ID: <0be301c62748$624140d0$0e01a8c0@Stile> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcYnSGFZBGI5ve14Q7WWnf4uLBSOUQ== Subject: Port redirection just not working! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 15:56:53 -0000 I am having a problem getting packet filter to redirect incoming traffic destined for a specific IP and port to an internal DMZ host. Interestingly enough I am not having a problem doing the same with SSH just with these nonstandard ports. I was originally redirecting the traffic and then placing filtering rules to pass the traffic but since I could not get that to work I just tried having the redirection rules pass the traffic directly bypassing the filtering rules, and this does NOT work either. I would appreciate any insight someone can give me to what I am doing wrong as I have read the manual several times and googled forever with no luck. Any help would be appreciated, Keith My firewall has 3 nics, 1 external, 1 dmz, and 1 internal. ########## # MACROS # ########## ext_if="xl1" ext_gw_addr="X.Y.Z.17" ext_nat_addr="X.Y.Z.18" ext_http_addr="X.Y.Z.19" ext_ftp_addr="X.Y.Z.19" ext_blits_addr="X.Y.Z.19" ext_unused1_addr="X.Y.Z.20" ext_unused2_addr="X.Y.Z.21" ext_ea_addr="X.Y.Z.22" # Internal (Intranet) int_if="xl0" int_net="192.168.1.0/24" # DMZ dmz_if="vr0" dmz_net="10.11.13.0/24" dmz_http_addr="10.11.13.100" dmz_ftp_addr="10.11.13.100" dmz_nimb_addr="10.11.13.106" dmz_clip_addr="10.11.13.103" dmz_three_addr="10.11.13.203" dmz_four_addr="10.11.13.204" dmz_five_addr="10.11.13.205" ########## # TABLES # ########## table const { 127/8, 10/8, 172.16/12, 192.168/16 } table const { X.Y.Z.18, X.Y.Z.19, X.Y.Z.20, X.Y.Z.21} ################# # NORMALIZATION # ################# scrub in all fragment reassemble ############ # QUEUEING # ############ ############### # TRANSLATION # ############### # FTP Active connnections nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # NAT workstations nat on $ext_if from $int_net to any -> $ext_nat_addr # NAT servers external requests nat on $ext_if from $dmz_net to any -> $ext_nat_addr ############### # REDIRECTION # ############### # *********** DOES NOT WORK - START *********** rdr pass on $ext_if proto tcp from any to $ext_http_addr port 9874 -> $dmz_clip_addr rdr pass on $int_if proto tcp from any to $ext_http_addr port 9874 -> $dmz_clip_addr rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4030:4034 -> $dmz_three_addr rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4030:4034 -> $dmz_three_addr rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4040:4044 -> $dmz_four_addr rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4040:4044 -> $dmz_four_addr rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4050:4054 -> $dmz_five_addr rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4050:4054 -> $dmz_five_addr # *********** DOES NOT WORK - END *********** rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 rdr on $ext_if proto tcp from any to $ext_if port http -> $dmz_http_addr port http rdr on $int_if proto tcp from any to $ext_http_addr port http -> $dmz_http_addr port http rdr on $ext_if proto tcp from any to $ext_http_addr port ssh -> $dmz_http_addr rdr on $int_if proto tcp from any to $ext_http_addr port 200 -> $dmz_http_addr port ssh rdr on $ext_if proto tcp from any to $ext_http_addr port 1666 -> $dmz_nimb_addr port ssh rdr on $int_if proto tcp from any to $ext_http_addr port 1666 -> $dmz_nimb_addr port ssh rdr on $ext_if proto tcp from any to $ext_http_addr port 220 -> $dmz_clip_addr port ssh rdr on $int_if proto tcp from any to $ext_http_addr port 220 -> $dmz_clip_addr port ssh rdr on $ext_if proto tcp from any to $ext_http_addr port 223 -> $dmz_three_addr port ssh rdr on $int_if proto tcp from any to $ext_http_addr port 223 -> $dmz_three_addr port ssh rdr on $ext_if proto tcp from any to $ext_http_addr port 224 -> $dmz_four_addr port ssh rdr on $int_if proto tcp from any to $ext_http_addr port 224 -> $dmz_four_addr port ssh rdr on $ext_if proto tcp from any to $ext_http_addr port 225 -> $dmz_five_addr port ssh rdr on $int_if proto tcp from any to $ext_http_addr port 225 -> $dmz_five_addr port ssh rdr on $ext_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr port 21 rdr on $ext_if proto tcp from any to $ext_ftp_addr port 30000:30999 -> $dmz_ftp_addr rdr on $int_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr port 21 rdr on $int_if proto tcp from any to $ext_ftp_addr port 30000:30999 -> $dmz_ftp_addr ############# # FILTERING # ############# block in log all block out log all pass quick on lo0 all block in log quick on $ext_if from to any block out quick on $ext_if from any to antispoof quick for { $int_if, $dmz_if } inet pass in on $ext_if proto tcp from any to $dmz_http_addr port http flags S/SA synproxy state pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user proxy flags S/SA keep state pass in inet proto icmp all icmp-type echoreq keep state anchor "ftp-proxy/*" pass in on $ext_if inet proto tcp from port ftp-data to $ext_nat_addr user proxy flags S/SA keep state pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port 21 keep state pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port > 29999 keep state pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port 21 keep state pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port > 29999 keep state pass in log on $ext_if proto tcp from any to $dmz_http_addr port ssh flags S/SA synproxy state pass in log on $ext_if proto tcp from any to $dmz_nimb_addr port ssh flags S/SA synproxy state pass in log on $ext_if proto tcp from any to $dmz_clip_addr port ssh flags S/SA synproxy state pass in log on $ext_if proto tcp from any to $dmz_three_addr port ssh flags S/SA synproxy state pass in log on $ext_if proto tcp from any to $dmz_four_addr port ssh flags S/SA synproxy state pass in log on $ext_if proto tcp from any to $dmz_five_addr port ssh flags S/SA synproxy state # *********** HERE ARE THE OLD RULES I WAS USING BEFORE I DECIDED TO REMOVE THEM AND JUST PASS IN # *********** THE REDIRECTION RULES ABOVE. INCLUDED THEM HERE FOR COMPLETENESS. #pass in on $ext_if proto tcp from any to $dmz_clip_addr port 9874 #pass in on $ext_if proto tcp from any to $dmz_three_addr port { 4030 4031 4032 4033 4034 } flags S/SA synproxy state #pass in on $ext_if proto tcp from any to $dmz_four_addr port { 4040 4041 4042 4043 4044 } flags S/SA synproxy state #pass in on $ext_if proto tcp from any to $dmz_five_addr port { 4050 4051 4052 4053 4054 } flags S/SA synproxy state pass in on $int_if from $int_net to any keep state pass in on $dmz_if from $dmz_net to any keep state pass out on $dmz_if from any to $dmz_net keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state