rdr not working

From: Erik Sabowski (sabowski_at_hotmail.com)
Date: 12/12/03


Date: Fri, 12 Dec 2003 15:47:57 -0500

i have been working on this a couple of days and still have not got it
working

i'm running openBSD 3.1 on a machine with 3 ethernet cards, one for the
internet (ep1), one for the internal network (fxp0) and one for the dmz
(sis0). My problem is that redirection is not working. I am trying to
redirect port 80 traffic to the webserver on the DMZ. Using tcpdump I can
see that the traffic is passed in through the external interface, but it's
not getting to the dmz interface. However, I am able to get to the webserver
from the internal network without a problem. NAT also works with no
problems.

thanks

###---begin nat.conf---###
# macros
EXT_IF = "ep1"
EXT_IP = "xx.xx.xx.xx"
INT_IF = "fxp0"
INT_NW = "10.10.0.0/24"
DMZ_IF = "sis0"
DMZ_NW = "10.11.0.0/24"
WEBSERVER_IP = "10.11.0.80"

# NAT
# internal network
nat on $EXT_IF from $INT_NW to any -> $EXT_IP
# DMZ network
nat on $EXT_IF from $DMZ_NW to any -> $EXT_IP

# EXTERNAL INTERFACE (ep1)
# redirect port 80 requests to the webserver
rdr on $EXT_IF proto { tcp, udp } from any to $EXT_IP port 80 ->
$WEBSERVER_IP port 80

# INTERNAL INTERFACE
# redirect to internal services when people try to connect to external IP
# webserver
rdr on $INT_IF proto tcp from $INT_NW to $EXT_IP port 80 -> $WEBSERVER_IP
port 80

# DMZ INTERFACE (sis0)
###---end nat.conf---###

###---begin pf.conf---###
# macros
INT_IF = "fxp0"
INT_NW = "10.10.0.0/24"
EXT_IF = "ep1"
EXT_IP = "xx.xx.xx.xx"
EXT_IP_NW = "xx.xx.xx.xx/32"
DMZ_IF = "sis0"
DMZ_NW = "10.11.0.0/24"
WEBSERVER_IP_NW = "10.11.0.80/32"
ICMP_TYPES = "echoreq"
# non-routable IPs
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# scrub (normalize packets)
scrub in all

block in log all
block out log all

pass in quick on lo0 all
pass out quick on lo0 all

# EXTERNAL INTERFACE RULES (ep1)
# don't let any non-routable IPs in or out the external interface
block in quick on $EXT_IF from $priv_nets to any
block out quick on $EXT_IF from any to $priv_nets

pass in on $EXT_IF inet proto icmp all icmp-type $ICMP_TYPES keep state

# let connections originated from the inside out, and keep track of the
state
pass out on $EXT_IF proto tcp all flags S/SA modulate state
pass out on $EXT_IF proto { udp, icmp } all keep state

# webserver
pass in log on $EXT_IF proto { tcp, udp } from any to $EXT_IP_NW port 80
flags S/SA keep state

# INTERNAL NETWORK INTERFACE RULES (fxp0)
block in quick on $INT_IF from !$INT_NW to any
block out quick on $INT_IF from any to !$INT_NW

pass in on $INT_IF from $INT_NW to any keep state
pass out on $INT_IF from any to $INT_NW keep state

# DMZ INTERFACE (sis0)
block in quick on $DMZ_IF from !$DMZ_NW to any
block out quick on $DMZ_IF from any to !$DMZ_NW

# block all traffic to internal network
block in quick on $DMZ_IF from $DMZ_NW to $INT_NW

pass in log on $DMZ_IF from $DMZ_NW to any keep state
pass out log on $DMZ_IF from any to $DMZ_NW keep state
###---end pf.conf---###