From owner-freebsd-pf@FreeBSD.ORG Wed Feb 1 18:09:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A327F16A422 for ; Wed, 1 Feb 2006 18:09:15 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id A38C143D78 for ; Wed, 1 Feb 2006 18:09:07 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id k11I922q030127 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 1 Feb 2006 19:09:02 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k11I91p3002710; Wed, 1 Feb 2006 19:09:01 +0100 (MET) Date: Wed, 1 Feb 2006 19:09:01 +0100 From: Daniel Hartmeier To: Keith Bottner Message-ID: <20060201180901.GC1311@insomnia.benzedrine.cx> References: <0be301c62748$624140d0$0e01a8c0@Stile> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0be301c62748$624140d0$0e01a8c0@Stile> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Port redirection just not working! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 18:09:15 -0000 On Wed, Feb 01, 2006 at 09:58:45AM -0600, Keith Bottner wrote: > I am having a problem getting packet filter to redirect incoming traffic > destined for a specific IP and port to an internal DMZ host. Interestingly > enough I am not having a problem doing the same with SSH just with these > nonstandard ports. I was originally redirecting the traffic and then placing > filtering rules to pass the traffic but since I could not get that to work I > just tried having the redirection rules pass the traffic directly bypassing > the filtering rules, and this does NOT work either. I would appreciate any > insight someone can give me to what I am doing wrong as I have read the > manual several times and googled forever with no luck. Is $dmz_clip_addr's default gateway properly set to the pf box' vr0 address? Otherwise run tcpdump on the pf box. You should see the TCP SYN with the yet-untranslated destination address arrive in on $ext_if, then pass out on $dmz_if with the destination address replaced ($dmz_clip_addr). Then you should see the TCP SYN+ACK arrive in on $dmz_if (yet-untranslated from $dmz_clip_addr), then out on $ext_if (with source address translated back). It depends on where, exactly, in this sequence things go wrong. For instance, with the wrong default gateway on $dmz_clip_addr, the pf box wouldn't get the SYN+ACK back (since it's sent to a different gateway). This assumes you're connecting from an external source. If it's an internal one, replace $ext_if with $int_if above. For a source within the DMZ, the redirection isn't supposed to work at all. Daniel