View Single Post
  #5   (View Single Post)  
Old 5th April 2013
Popelicious Popelicious is offline
New User
 
Join Date: Mar 2013
Posts: 5
Default

Hello everyone. After thinkering with pf and reading all the pf stuff i could find i got a ruleset working for my conf.

My only problem is that i can only reach the services behind the pf box if i use the same machine as a gateway for the box that is running those services, something that unfortunatelly can't be done.

At the minute I have 2 routers from my ISP with 8 public ip's each, one of them being 192.168.0.1 and the other is 192.168.10.1.
The .0.1 router uses NAT for his 8 public ip's and .10.1 routes his 8 public ip's to a single iptables based firewall, with if_ext 192.168.10.5 and if_int 192.168.200.25.

My pf box is behind one of the nat adresses, and everything seems to be fine if i use it as gw for all the boxes i i redirect ports to. The problems arises when i redirect ports to a box that has gw 192.168.200.25.

For example, lets say i have 192.168.200.93 as the www server, the pf box is 192.168.200.152 If i have set .200.93 gateway as .200.152 (the pf box) everything works and i can access the www server from outside with no problems.
Now, if that gateway gets changed to the .200.25 box it won't.

What is eating me is that this configuration does work for other machines if i use iptables, so i'm sure it's my pf configuration.

Here is it:
Code:
#interfaces
ext_if="rl0"  
int_if="nfe0" 

#ftp
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

#networks
lan="192.168.200/24"  
ip="public ip"

#services pf box
servicios_tcp="{domain}" 
servicios_udp="{domain}" 
servicios_icmp="echoreq"

# internal server
serv_ip="192.168.200.93"
servicios_serv="{ldap,smtp,www,https,imaps}"

#block policy and log
set block-policy return
set loginterface $ext_if
set skip on {lo enc0}

#scrub in all #commented due to testing


block in log all 
pass out keep state
pass quick on { lo }
antispoof quick for { lo $int_if }

pass in quick log on $int_if

#nat
match out log on egress from $int_if:network to any nat-to (egress) #test nat

match in log on $ext_if proto tcp from any to any port 80 rdr-to $serv_ip port 80
match in log on $ext_if proto tcp from any to any port 443 rdr-to $serv_ip port 443

pass in on $ext_if inet proto tcp from any to ($ext_if) port $servicios_tcp keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $servicios_udp keep state
pass in inet proto icmp all icmp-type $servicios_icmp keep state
synproxy state
pass in on $ext_if proto tcp from any to any port $servicios_serv flags S/SA synproxy state
Anyone can explain to me what is happening?

Thanks

Last edited by Popelicious; 5th April 2013 at 12:30 PM.
Reply With Quote