View Single Post
Old 27th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

I'm having problems getting internal connections to servers by using URL's rather than IP addresses.

I've read the instructions here http://www.openbsd.org/faq/pf/rdr.html but still can't get it to work. I added the following line to /etc/inetd.conf
Code:
127.0.0.1:5000 stream tcp nowait proxy /usr/bin/nc nc -w 20 192.168.0.55 80
and started the inetd service then added these lines to my pf.conf
Code:
pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to 127.0.0.1 port 5000 
pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to $websrv
pass out on $int_if proto tcp to $websrv port 80 received-on $int_if nat-to $int_if
and restarted pf and it's not working.

Here is my complete pf.conf file:
Code:
# macros
int_if="xl0"
ext_if="xl1"
int_net="{ 192.168.0.0/24 }"
whs="192.168.0.50"
pc1="192.168.0.20"
pc2="192.168.0.21"
websrv="192.168.0.55"

# options
set block-policy drop
set loginterface $ext_if
set skip on lo

# match rules
match in all scrub (no-df)
match out on egress inet from !(egress) to any nat-to (egress:0)

# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
# start internal connection
pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to 127.0.0.1 port 5000
pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to $websrv
pass out on $int_if proto tcp to $websrv port 80 received-on $int_if nat-to $int_if
# end internal connection
pass in on egress inet proto tcp to (egress) port 80 rdr-to $websrv synproxy state
pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state
pass in on egress inet proto tcp to (egress) port 5900 rdr-to $pc1 synproxy state
pass in on egress inet proto tcp to (egress) port 5901 rdr-to $pc2 synproxy state
pass in log on $int_if
What is wrong that is preventing this from working?

Am I making my firewall less secure by running inetd to accomplish this?

I'm also not quite understanding what egress and (egress) mean. Does
egress=$int_if
(egress)=$ext_if

Thanks.
Reply With Quote