port forwarding

[ikevmowe]

[ COMP1 ] [ COMP3 ]
| |
---+------+-----+------- xl0 [ OpenBSD ] fxp0 -------- ( Internet )
|
[ COMP2 ]



Please help me to configure the /etc/pf.conf that my OpenBSD can forward port 55555 to port 22. I have sshd installed on COMP3, and I want to ssh to COMP3 from Internet. I have following rules, but it doesn't work. Please help.

# macros
ext_if="fxp0"
int_if="xl0"

comp3="192.168.0.3"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

## my port forwarding rule
rdr on $ext_if proto tcp from any to any port 55555 -> 192.168.0.3 port 22


# filter rules
block in

pass out keep state

pass in quick on $int_if

[J65nko]

Code:

## my port forwarding rule
rdr on $ext_if proto tcp from any to any port 55555   tag SSH -> \
  192.168.0.3 port 22 

# filter rules
block in

pass in quick on $ext_if tagged SSH 
pass out 

pass in quick on $int_if

[jggimi]

You're using a non-Internet-routable RFC 1918 address (192.168.0.3) but you do not show any Network Address Translation (NAT) configured in PF.

If fxp0 has a real internet address, you'll need to configure NAT if you want any of the devices on your local network to be able to connect to the internet.

If fxp0 uses a different RFC 1918 subnet, then NAT occurs between fxp0 and your ISP.

http://openbsd.rt.fm/faq/pf/nat.html

[ikevmowe]

Quote:

Originally Posted by J65nko

Code:

## my port forwarding rule
rdr on $ext_if proto tcp from any to any port 55555   tag SSH -> \
  192.168.0.3 port 22 

# filter rules
block in

pass in quick on $ext_if tagged SSH 
pass out 

pass in quick on $int_if

I have tried out above rules. However, I don't see port 55555 is open. SSH it failed.

[ikevmowe]

Quote:

Originally Posted by jggimi

You're using a non-Internet-routable RFC 1918 address (192.168.0.3) but you do not show any Network Address Translation (NAT) configured in PF.

I have below nat rule,

nat on $ext_if from !($ext_if) to any -> ($ext_if)

Is this ok(Secure)?

[jggimi]

Quote:

Originally Posted by ikevmowe

Is this ok(Secure)?

Yes.

[J65nko]

Quote:

Originally Posted by ikevmowe

I have tried out above rules. However, I don't see port 55555 is open. SSH it failed.

You also need a rule to pass out the traffic

Code:

pass out quick on $int_if tagged SSH

Thing like this can be figured easily if you have a block log (all) rule, which copies blocked packets to the pflog0 device.
By running tcpdump you then can see these packets

Code:

# tcpdump -eni pflog0

[ikevmowe]

Quote:

Originally Posted by J65nko

You also need a rule to pass out the traffic

Code:

pass out quick on $int_if tagged SSH

I have the following rules. Port 55555 is still not open.

Code:

# macros
ext_if="fxp0"
int_if="xl0"

comp3="192.168.0.3"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

nat on $ext_if from !($ext_if) to any -> ($ext_if)

## my port forwarding rule
rdr on $ext_if proto tcp from any to any port 55555   tag SSH -> \
  192.168.0.3 port 22 


# filter rules
block in

pass in quick on $ext_if tagged SSH 
pass in quick on $int_if

pass out quick on $int_if tagged SSH
pass out keep state

[J65nko]

If you run tcpdump on the external interface do you see the packets coming in on port 55555?

Code:

tcpdump -ni fxp0

You either need a friend to ssh in to your box, or use a free shell account provider like http://silenceisdefeat.org, to ssh in to your box. Remember that the connection really does need to enter the external interface through the internet.

Please read http://openbsd.org/faq/pf/rdr.html#reflect why connections initiated from the local lan will never get redirected

[ikevmowe]

My friend tested it, and I have tried tcpdump it, I do not see any packets coming in on port 55555. Are there anything wrong with my rules?

[jggimi]

If that is your complete rule set, you are not logging PF data.

Each filter rule you want to log must explicitly state it, whether a block or a pass. J65nko's example, above, will log only blocked packets. If you want to log passing packets, those rules must include "log", also.

http://openbsd.rt.fm/faq/pf/logging.html

[J65nko]

Quote:

Originally Posted by ikevmowe

My friend tested it, and I have tried tcpdump it, I do not see any packets coming in on port 55555. Are there anything wrong with my rules?

If you run tcpdump on the external interface (tcpdump -ni fxp0) , you will see the packets as they arrive, and before pf gets a chance to block them.

If tcpdump -ni fxp0 doesn't show packets with destination port 55555 then your friend possibly forget to tell ssh to use 55555 instead of the default 22.

[jggimi]

True. My comments were directed to logging pf actions -- which will record any logged block/pass rule as it is applied (tcpdump -ni pflog0, or tcpdump -nr /var/log/pflog)

[ivanatora]

Code:

rdr on $ext_if proto tcp from any to any port 55555 ...

from any to any?
Maybe: from any to $ext_ip ?