Date: Wed, 1 Feb 2006 09:58:45 -0600 From: "Keith Bottner" <keith@barkinglizards.com> To: <freebsd-pf@freebsd.org> Subject: Port redirection just not working! Message-ID: <0be301c62748$624140d0$0e01a8c0@Stile>
next in thread | raw e-mail | index | archive | help
I am having a problem getting packet filter to redirect incoming traffic
destined for a specific IP and port to an internal DMZ host. Interestingly
enough I am not having a problem doing the same with SSH just with these
nonstandard ports. I was originally redirecting the traffic and then placing
filtering rules to pass the traffic but since I could not get that to work I
just tried having the redirection rules pass the traffic directly bypassing
the filtering rules, and this does NOT work either. I would appreciate any
insight someone can give me to what I am doing wrong as I have read the
manual several times and googled forever with no luck.
Any help would be appreciated,
Keith
My firewall has 3 nics, 1 external, 1 dmz, and 1 internal.
##########
# MACROS #
##########
ext_if="xl1"
ext_gw_addr="X.Y.Z.17"
ext_nat_addr="X.Y.Z.18"
ext_http_addr="X.Y.Z.19"
ext_ftp_addr="X.Y.Z.19"
ext_blits_addr="X.Y.Z.19"
ext_unused1_addr="X.Y.Z.20"
ext_unused2_addr="X.Y.Z.21"
ext_ea_addr="X.Y.Z.22"
# Internal (Intranet)
int_if="xl0"
int_net="192.168.1.0/24"
# DMZ
dmz_if="vr0"
dmz_net="10.11.13.0/24"
dmz_http_addr="10.11.13.100"
dmz_ftp_addr="10.11.13.100"
dmz_nimb_addr="10.11.13.106"
dmz_clip_addr="10.11.13.103"
dmz_three_addr="10.11.13.203"
dmz_four_addr="10.11.13.204"
dmz_five_addr="10.11.13.205"
##########
# TABLES #
##########
table <priv_nets> const { 127/8, 10/8, 172.16/12, 192.168/16 }
table <firewall> const { X.Y.Z.18, X.Y.Z.19, X.Y.Z.20, X.Y.Z.21}
#################
# NORMALIZATION #
#################
scrub in all fragment reassemble
############
# QUEUEING #
############
###############
# TRANSLATION #
###############
# FTP Active connnections
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# NAT workstations
nat on $ext_if from $int_net to any -> $ext_nat_addr
# NAT servers external requests
nat on $ext_if from $dmz_net to any -> $ext_nat_addr
###############
# REDIRECTION #
###############
# *********** DOES NOT WORK - START ***********
rdr pass on $ext_if proto tcp from any to $ext_http_addr port 9874 ->
$dmz_clip_addr
rdr pass on $int_if proto tcp from any to $ext_http_addr port 9874 ->
$dmz_clip_addr
rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4030:4034 ->
$dmz_three_addr
rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4030:4034 ->
$dmz_three_addr
rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4040:4044 ->
$dmz_four_addr
rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4040:4044 ->
$dmz_four_addr
rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4050:4054 ->
$dmz_five_addr
rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4050:4054 ->
$dmz_five_addr
# *********** DOES NOT WORK - END ***********
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to $ext_if port http -> $dmz_http_addr
port http
rdr on $int_if proto tcp from any to $ext_http_addr port http ->
$dmz_http_addr port http
rdr on $ext_if proto tcp from any to $ext_http_addr port ssh ->
$dmz_http_addr
rdr on $int_if proto tcp from any to $ext_http_addr port 200 ->
$dmz_http_addr port ssh
rdr on $ext_if proto tcp from any to $ext_http_addr port 1666 ->
$dmz_nimb_addr port ssh
rdr on $int_if proto tcp from any to $ext_http_addr port 1666 ->
$dmz_nimb_addr port ssh
rdr on $ext_if proto tcp from any to $ext_http_addr port 220 ->
$dmz_clip_addr port ssh
rdr on $int_if proto tcp from any to $ext_http_addr port 220 ->
$dmz_clip_addr port ssh
rdr on $ext_if proto tcp from any to $ext_http_addr port 223 ->
$dmz_three_addr port ssh
rdr on $int_if proto tcp from any to $ext_http_addr port 223 ->
$dmz_three_addr port ssh
rdr on $ext_if proto tcp from any to $ext_http_addr port 224 ->
$dmz_four_addr port ssh
rdr on $int_if proto tcp from any to $ext_http_addr port 224 ->
$dmz_four_addr port ssh
rdr on $ext_if proto tcp from any to $ext_http_addr port 225 ->
$dmz_five_addr port ssh
rdr on $int_if proto tcp from any to $ext_http_addr port 225 ->
$dmz_five_addr port ssh
rdr on $ext_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr
port 21
rdr on $ext_if proto tcp from any to $ext_ftp_addr port 30000:30999 ->
$dmz_ftp_addr
rdr on $int_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr
port 21
rdr on $int_if proto tcp from any to $ext_ftp_addr port 30000:30999 ->
$dmz_ftp_addr
#############
# FILTERING #
#############
block in log all
block out log all
pass quick on lo0 all
block in log quick on $ext_if from <priv_nets> to any
block out quick on $ext_if from any to <priv_nets>
antispoof quick for { $int_if, $dmz_if } inet
pass in on $ext_if proto tcp from any to $dmz_http_addr port http flags S/SA
synproxy state
pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user proxy
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp from port ftp-data to $ext_nat_addr user
proxy flags S/SA keep state
pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port 21 keep
state
pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port > 29999
keep state
pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port 21 keep
state
pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port > 29999
keep state
pass in log on $ext_if proto tcp from any to $dmz_http_addr port ssh flags
S/SA synproxy state
pass in log on $ext_if proto tcp from any to $dmz_nimb_addr port ssh flags
S/SA synproxy state
pass in log on $ext_if proto tcp from any to $dmz_clip_addr port ssh flags
S/SA synproxy state
pass in log on $ext_if proto tcp from any to $dmz_three_addr port ssh flags
S/SA synproxy state
pass in log on $ext_if proto tcp from any to $dmz_four_addr port ssh flags
S/SA synproxy state
pass in log on $ext_if proto tcp from any to $dmz_five_addr port ssh flags
S/SA synproxy state
# *********** HERE ARE THE OLD RULES I WAS USING BEFORE I DECIDED TO REMOVE
THEM AND JUST PASS IN
# *********** THE REDIRECTION RULES ABOVE. INCLUDED THEM HERE FOR
COMPLETENESS.
#pass in on $ext_if proto tcp from any to $dmz_clip_addr port 9874
#pass in on $ext_if proto tcp from any to $dmz_three_addr port { 4030 4031
4032 4033 4034 } flags S/SA synproxy state
#pass in on $ext_if proto tcp from any to $dmz_four_addr port { 4040 4041
4042 4043 4044 } flags S/SA synproxy state
#pass in on $ext_if proto tcp from any to $dmz_five_addr port { 4050 4051
4052 4053 4054 } flags S/SA synproxy state
pass in on $int_if from $int_net to any keep state
pass in on $dmz_if from $dmz_net to any keep state
pass out on $dmz_if from any to $dmz_net keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0be301c62748$624140d0$0e01a8c0>