Date: Wed, 1 Feb 2006 19:09:01 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Keith Bottner <keith@barkinglizards.com> Cc: freebsd-pf@freebsd.org Subject: Re: Port redirection just not working! Message-ID: <20060201180901.GC1311@insomnia.benzedrine.cx> In-Reply-To: <0be301c62748$624140d0$0e01a8c0@Stile> References: <0be301c62748$624140d0$0e01a8c0@Stile>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 01, 2006 at 09:58:45AM -0600, Keith Bottner wrote: > I am having a problem getting packet filter to redirect incoming traffic > destined for a specific IP and port to an internal DMZ host. Interestingly > enough I am not having a problem doing the same with SSH just with these > nonstandard ports. I was originally redirecting the traffic and then placing > filtering rules to pass the traffic but since I could not get that to work I > just tried having the redirection rules pass the traffic directly bypassing > the filtering rules, and this does NOT work either. I would appreciate any > insight someone can give me to what I am doing wrong as I have read the > manual several times and googled forever with no luck. Is $dmz_clip_addr's default gateway properly set to the pf box' vr0 address? Otherwise run tcpdump on the pf box. You should see the TCP SYN with the yet-untranslated destination address arrive in on $ext_if, then pass out on $dmz_if with the destination address replaced ($dmz_clip_addr). Then you should see the TCP SYN+ACK arrive in on $dmz_if (yet-untranslated from $dmz_clip_addr), then out on $ext_if (with source address translated back). It depends on where, exactly, in this sequence things go wrong. For instance, with the wrong default gateway on $dmz_clip_addr, the pf box wouldn't get the SYN+ACK back (since it's sent to a different gateway). This assumes you're connecting from an external source. If it's an internal one, replace $ext_if with $int_if above. For a source within the DMZ, the redirection isn't supposed to work at all. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060201180901.GC1311>