|
|||
port redirection problem in pf
hello im new with openbsd. i having problems with port forwarding on my openbsd 5.2 dhcp server.
i have forwarded port 80 and port 443 to my web server, its working from outside my lokal network, but its not working to visit mydomain.com when im in my local network. what rule du i need for making this happen? pf.conf : Code:
# Set network interfaces ext_if="em0" #internet int_if="em1" #LAN wwwserver = "192.168.1.12" openvpn ="192.168.1.148" windows ="192.168.1.15" services = "{ http, https, domain }" # Non-routable IP numbers nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 255.255.255.255/32 }" # Skip all loopback traffic set skip on lo # DEFAULT IS BLOCK IN FROM INTERNET, PASS ALL ELSE block log all pass on $int_if all pass out on $ext_if all block in log quick on $ext_if inet proto icmp from any to any icmp-type redir block in quick on $ext_if from $nonroutable to any block out quick on $ext_if from any to $nonroutable # Allow inbound traffic on internal interface pass quick on $int_if # Protect against spoofing antispoof quick for { lo $int_if } #NAT ##web server## pass in quick on $ext_if proto { tcp } from any to any port { http, https } flags S/SA rdr-to $wwwserver ##openvpn## pass in quick on $ext_if proto { tcp, udp } from any to any port { 1194 } flags S/SA rdr-to $openvpn pass in quick on $ext_if proto { tcp } from any to any port { 2301 } flags S/SA rdr-to $openvpn ##windows## pass in quick on $ext_if proto { tcp, udp } from any to any port { 32400 } flags S/SA rdr-to $windows block return-rst in log quick on $ext_if inet proto tcp from any to any block return-icmp in log quick on $ext_if inet proto udp from any to any block in quick on $ext_if all |
|
|||
This is normal This issue is explained at http://www.openbsd.org/faq/pf/rdr.html#reflect
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
rdr-to nat did not work
i tried first this one:
Code:
pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } flags S/SA \ rdr-to $wwwserver pass out on $int_if proto tcp to $wwwserver port { http, https } flags S/SA \ received-on $int_if nat-to $int_if pf.conf Code:
pass in on $int_if proto tcp from $int_net to $ext_if port 80 \ rdr-to 127.0.0.1 port 5000 Code:
127.0.0.1:5000 stream tcp nowait proxy /usr/bin/nc nc -w \ 20 192.168.1.12 80 Last edited by petter; 27th February 2013 at 11:54 PM. |
|
|||
Quote:
Also make sure you restarted inetd. Does $ netstat -an -f inet confirm that the proxy is listening on port 5000?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
*edit*
copy paste error
the ip in my proxy was 192.168.1.12. i did a reboot but it did not help any suggestions? tcp 0 0 127.0.0.1.5000 *.* LISTEN pfctl -s rules: pass in on em1 inet proto tcp from 192.168.1.0/24 to "my external ip" port = 80 flags S/SA rdr-to 127.0.0.1 port 5000 Last edited by petter; 27th February 2013 at 11:51 PM. |
|
|||
If I were you, I first would reorganize the pf.conf. Order the rules nicely by interface and direction. Add quick if you want to defeat pf's the last matching rule wins strategy.
For the internal interface this would look like this: Code:
# ----- INTERNAL INTERFACE in pass in quick on em1 inet proto tcp from 192.168.1.0/24 to "my external ip" port = 80 flags S/SA rdr-to 127.0.0.1 port 5000 # ---- INTERNAL INTERFACE out pass out quick on $int_if all From another xterm run tcpdump on the internal interface to see the proxied packets (port 80).
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
i did change the pf.conf and used the quick statement, and all in tcpdump i could se from my ip address is on the internal network card on the server.
02:45:32.318181 192.168.1.1.ssh > 192.168.1.14.58767: P 30464:30864(400) ack 49 win 2172 <nop,nop,timestamp 3017630544 969479246> [tos 0x10] thats alls between me and the server, nothing interesting on external network card this is from my mac os x: 01:50:55.378112 IP 192.168.1.14.65245 > "externalIP": Flags [S], seq 701491116, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 969744836 ecr 0,sackOK,eol], length |
|
|||
Did you manage to get this working?
I spent some time on this last night, but somehow became busier fighting proxy-arp on my wireless connection then debugging the proxy on 127.0.0.1:500
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
no but i dont think the problem is the proxy, im a student living in a student apartment, and the school offers internet connection. wi have our own external ip with a domain apartment-nr-schoolname.no. and my web domain i bought is mydomain.com. when im trying to get to mydomain.com from my local network, the route was:
Code:
15:16:37.137129 192.168.1.14.51290 > apartment-nr-schoolname.no.www: S 546874096:546874096(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,timestamp 753873359 0,sackOK,eol> (DF) 15:16:37.137148 apartment-nr-schoolname.no.www > 192.168.1.14.51290: R 0:0(0) ack 546874097 win 0 and just some extra: mydomain.com works when im connected with vpn pptp or openvpn to a server in my local network, from the internet with send all the traffic over vpn i dont have any idea how to fix this, i looked at split-horizon dns but it seems difficult for a beginner. Last edited by petter; 6th March 2013 at 06:55 PM. |
|
|||
wtf??! it suddenly worked.. did nothing at all and the redirection starded to work. good for me^^
Code:
pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \ rdr-to $wwwserver pass out on $int_if proto tcp to $wwwserver port { http, https } \ received-on $int_if nat-to $int_if |
|
|||
RE: split-horizon DNS
If you do not host the name server for your web server on your local LAN, you do not have to do a split-horizon DNS at all. You can use the simple configuration described in BIND 9 : Caching and forward-only named.conf as starting point. You only have to add something like: Code:
zone "de.filo" in { type master ; file "master/de.filo" ; }; These "de.filo" queries should be answered as an authoritative nameserver using the "de.filo" zone file in the # ls -l /var/named/master/ directory. The "de.filo" example zone file can be found at Authoritative only BIND nameserver for local domain I just tested this and the configuration file looks like this: Code:
// Caching and forward only configuration // Access Control List acl clients { 127.0.0.1 ; 192.168.222.0/24 ; }; options { forward only ; forwarders { 192.168.222.10 ; } ; allow-query { clients ; } ; // max-cache-size is in bytes : echo '2 * 1024^2' | bc max-cache-size 2097152 ; empty-zones-enable yes; } ; zone "de.filo" in { type master ; file "master/de.filo" ; }; # After editing this file please use 'named-checkconf' to validate! In case you would like to give it a shot, first get this exact configuration working on your OBSD firewall and then adjust the name and contents of this zone file to match your internal web server data.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OBSD 4.1/NAT port redirection/interception across 7 Class C's | element | OpenBSD Security | 4 | 27th October 2010 08:17 PM |
No redirection pass with one interface ? | Simon | OpenBSD Security | 11 | 8th March 2010 11:51 AM |
Boot problem. Geometry problem? | gulanito | FreeBSD Installation and Upgrading | 0 | 3rd July 2009 03:03 AM |
Local BOX Port Foward Problem | paul-lkw | FreeBSD Security | 6 | 7th February 2009 06:47 PM |
Redirection | c0mrade | Other BSD and UNIX/UNIX-like | 1 | 11th July 2008 05:19 AM |