I have an openbsd/pf firewall between my dsl router and the internal lan. I'm new to pf but I figured everything out except world access to a jailed apache server. The layout is pretty much this (I have deleted my attempt to serve the webserver since it wasn't working. Deleting it had no affect.):
Quote:
(123.456.789.101) static address
dsl router
(10.0.0.1)
|
(10.0.0.2)
firewall
(192.168.1.1)
|
(192.168.1.2)
server ---->jailed apache(192.168.1.13)
|
I can ping and ssh into the jail fine, just like it was a different box, and I can jexec into it when I'm on the host box. The router forwards ssh login requests to the firewall, and that works, and http requests to the jail IP address; that doesn't work. Everything else is refused. All the machines in the internal network can get pages served from the jailed apache, and also pages from an apache process running on the jail's host, but the internet cannot get the jailed pages. What rule do I need? Everything else is OK. My pf.conf is below. It is by and large trial-and-error and cut-and-paste:
Code:
## Macros
ext_if="fxp0"
int_if="xl0"
internal_net="192.168.1.0/24"
##================================
## Tables
table <brutes> persist file "/var/db/brutes"
##================================
## Options
# Set the default policy to return RSTs or ICMPs for blocked traffic.
set block-policy return
# Optimize parsing algorithms
set optimization normal
# Ignore the loopback interface entirely.
set skip on lo0
# Check for address spoofing
antispoof for fxp0 inet
##================================
## Normalize
match log on $ext_if all scrub (random-id min-ttl 254 set-tos lowdelay reassemble t
cp max-mss 1460)
##================================
## Translation
match out on egress from $int_if:network to any nat-to (egress)
##================================##
Filtering
# Default deny rule, with all blocked packets logged.
block log all
# Drop the infected IP addys without further ruleset parsing,
block in quick log on $ext_if from <brutes> to any
# Add persistent ssh login attempts to the brutes table (10 per source IP, 2 attemp
ts in 5 sec. max.)
pass in on $ext_if proto tcp to port ssh flags S/SA keep state (max-src-conn 10, ma
x-src-conn-rate 2/5, overload <brutes> flush)
# Outgoing POP3 to receive mail
pass out on $ext_if proto tcp from $internal_net to any port = 110 keep state
# Outgoing SMTP to send mail
pass out on $ext_if proto tcp from $internal_net to any port = 25 keep state
# Pass all traffic to and from the local network
pass quick on $int_if all
# Permit all traffic going out
pass out keep state
##================================
Thanks for any pointers.
tf