DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th September 2010
nobodyb nobodyb is offline
New User
 
Join Date: Sep 2010
Posts: 4
Default new to pf

hello experts,

I am new to pf. I would like to port forwarding 80 on my machines. Everything works fine, but port 80 is not open. I have tried my best, but still not luck. Kindly advise on how to imporve my pf.

ext_if = "tl0"
int_if = "re0"
dmz_if = "cl0"
icmp_types = "{unreach}"
tcp_services = "{www}"

match out on $ext_if from any nat-to ($ext_if)
match in on $ext_if proto tcp from any to any port 80 tag WWW rdr-to 192.168.1.3 port 80

block log all
block all

pass out keep state

set skip on lo
set skip on $int_if
set skip on $dmz_if

pass out on $ext_if proto tcp to any port $tcp_services

## below line might not be necessary, but I want to make sure port 80 is open
pass in on $ext_if proto tcp from any to any port 80 rdr-to 192.168.1.3

pass inet proto icmp all icmp-type $icmp_types keep state

pass in quick on $ext_if tagged WWW
pass out quick on $ext_if inet all keep state
pass out quick on $dmz_if tagged WWW

#By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
## another OpenBSD fan
Reply With Quote
  #2   (View Single Post)  
Old 19th September 2010
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

192.168.1.3 should be probably replaced with internal interface unless it is address of your web-server? You are also not passing any traffic on internal interface?
Reply With Quote
  #3   (View Single Post)  
Old 19th September 2010
nobodyb nobodyb is offline
New User
 
Join Date: Sep 2010
Posts: 4
Default

Yes, 192.168.1.3 is my web_server addr. I have one int_if machine 10.0.0.1 I just add these two lines, please correct me.
pass in quick on $int_if from 10.0.0.1 to any flags S/SA
pass in quick on $dmz_if from 192.168.1.3

## is this ok?
Reply With Quote
  #4   (View Single Post)  
Old 19th September 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by nobodyb View Post
Yes, 192.168.1.3 is my web_server addr. I have one int_if machine 10.0.0.1
These two addresses are not on the same subnet. Do you have a router located inside the firewall?
Reply With Quote
  #5   (View Single Post)  
Old 19th September 2010
nobodyb nobodyb is offline
New User
 
Join Date: Sep 2010
Posts: 4
Default

Quote:
Originally Posted by ocicat View Post
These two addresses are not on the same subnet. Do you have a router located inside the firewall?
Yes.
Reply With Quote
  #6   (View Single Post)  
Old 19th September 2010
nobodyb nobodyb is offline
New User
 
Join Date: Sep 2010
Posts: 4
Default

Can anyone point me to a right direction? I tried to add or remove some lines, but still no luck.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:15 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick