DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th December 2013
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default Problem with new sintax pf

Hi,

had the following rule:

no rdr on $iface_int proto tcp from $internal_network to 200.200.200.200 port { 80 443 }

according to the new syntax, how is this rule?

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 13th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello, and welcome!

The major syntax changes that including changing the "rdr" directive to "rdr-to" occurred with the release of OpenBSD 4.7. The two releases supported at this time are 5.3 and 5.4.

From the pf.conf(5) man page for OpenBSD 4.6, the "no rdr" sytax was shown in this example:
Code:
     In the example below, packets bound for one specific server, as well as
     those generated by the sysadmins are not proxied; all other connections
     are.

         no rdr on $int_if proto { tcp, udp } from any to $server port 80
         no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80
         rdr on $int_if proto { tcp, udp } from any to any port 80 \
             -> 127.0.0.1 port 80
The syntax was simplified. With rdr-to directives usable with either pass or match rules, the equivalent to the no rdr rule is not needed. Here is the same example, from the 5.4 version of the same man page:
Code:
     In the example below, packets bound for one specific server, as well as
     those generated by the sysadmins are not proxied; all other connections
     are.

         pass in on $int_if proto { tcp, udp } from any to any port 80 \
               rdr-to 127.0.0.1 port 80
         pass in on $int_if proto { tcp, udp } from any to $server port 80
         pass in on $int_if proto { tcp, udp } from $sysadmins to any port 80

Last edited by jggimi; 13th December 2013 at 06:33 PM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 13th December 2013
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

Thanks jggimi,

then the new rule would only

pass rdr on $iface_int proto tcp from $internal_network to 200.200.200.200 port { 80 443 }

so she would deny?
Reply With Quote
  #4   (View Single Post)  
Old 13th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

No.
  1. As of OpenBSD 4.7, "rdr" was changed to "rdr-to", as there are many other "*-to" directives now in PF. Rule sets that use the "rdr" directive will not load. You will get a syntax error.
  2. As the 5.4 man page directs, set your general redirection rule with "rdr-to", then, follow that with your specific rule(s) that will not redirect.
All we know about your environment is that you have one single "no rdr" rule. If you want further guidance, please provide more information.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Boot problem. Geometry problem? gulanito FreeBSD Installation and Upgrading 0 3rd July 2009 03:03 AM


All times are GMT. The time now is 04:34 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick