DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd October 2021
epitaxial epitaxial is offline
Port Guard
 
Join Date: Feb 2015
Posts: 17
Default Anyone have a working pf redirect rule?

I've been trying for hours now to redirect a port on my external wan ip to an internal machine. I've tried various combinations of

Code:
rdr on $ext_if proto udp from any to $ext_if port 32400 -> 192.168.1.32 port 32400
and

Code:
rdr on $ext_if proto tcp from any to any port 32400 -> 192.168.1.32
But nothing seems to work!

Here is the whole pf.conf

Code:
# Set some variables for use later
ext_if="em0"
int_if="ix0"
icmp_types="echoreq"

# Skip all loopback traffic
set skip on lo

# Scrub all traffic
scrub in

# Perform NAT on external interface
#rdr on $ext_if proto udp from any to $ext_if port 32400 -> 192.168.1.32 port 32400
nat on $ext_if from $int_if:network -> ($ext_if:0)
rdr on $ext_if proto tcp from any to any port 32400 -> 192.168.1.32



# Define default behavior
block in
pass out keep state

# Allow inbound traffic on internal interface
pass quick on $int_if

# Protect against spoofing
antispoof quick for { lo $int_if }

# Allow other traffic
pass in on $ext_if proto tcp to ($ext_if) port 32400 flags S/SA keep state
What am I doing wrong?
Reply With Quote
  #2   (View Single Post)  
Old 3rd October 2021
vns3 vns3 is offline
Port Guard
 
Join Date: Sep 2017
Posts: 23
Default

First of all I am not an expert with fw's lol.

Looking at your rdr rule and comparing it with examples in The Book of PF, the rdr line itself seems right.

I believe rdr requires another rule passing the traffic as well. Which is what it looks like you are doing here.

Code:
pass in on $ext_if proto tcp to ($ext_if) port 32400 flags S/SA keep state
If it were me I would open this rule up and see what happens. I am not sure why you need the "to" part of the statement. And it seems to me that might be blocking any traffic not having a destination of em0.

Are em0 and 192.168.1.32 the same device?
Reply With Quote
  #3   (View Single Post)  
Old 6th October 2021
epitaxial epitaxial is offline
Port Guard
 
Join Date: Feb 2015
Posts: 17
Default

Thanks for the reply. em0 is my wan ip address and 192.168.1.32 is a separate box on my internal network.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Tricky inbound redirect with pf wbe OpenBSD Security 12 15th February 2019 02:01 PM
pf NAT rule isn't working flit OpenBSD Security 8 30th September 2013 02:45 AM
redirect outgoing http petter OpenBSD Security 8 25th March 2013 04:56 PM
VNC and sound redirect DNAeon FreeBSD Ports and Packages 2 16th September 2009 07:52 PM
pf: why is that rule not working? ivanatora FreeBSD General 14 11th December 2008 09:32 AM


All times are GMT. The time now is 09:07 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick