Re: rdr not working

From: Edward Paul Wehrwein (last_name_at_ccs.neu.edu)
Date: 12/13/03 

Date: Fri, 12 Dec 2003 18:50:00 -0500

"Erik Sabowski" <sabowski@hotmail.com> wrote in message
news:irOdnf6Xb9ZwtUeiRTvUqQ@speakeasy.net...
> i have been working on this a couple of days and still have not got it
> working
>
> i'm running openBSD 3.1 on a machine with 3 ethernet cards, one for the
> internet (ep1), one for the internal network (fxp0) and one for the dmz
> (sis0). My problem is that redirection is not working. I am trying to
> redirect port 80 traffic to the webserver on the DMZ. Using tcpdump I can
> see that the traffic is passed in through the external interface, but it's
> not getting to the dmz interface. However, I am able to get to the
webserver
> from the internal network without a problem. NAT also works with no
> problems.
>
> thanks
>
> ###---begin nat.conf---###
> # macros
> EXT_IF = "ep1"
> EXT_IP = "xx.xx.xx.xx"
> INT_IF = "fxp0"
> INT_NW = "10.10.0.0/24"
> DMZ_IF = "sis0"
> DMZ_NW = "10.11.0.0/24"
> WEBSERVER_IP = "10.11.0.80"
>
> # NAT
> # internal network
> nat on $EXT_IF from $INT_NW to any -> $EXT_IP
> # DMZ network
> nat on $EXT_IF from $DMZ_NW to any -> $EXT_IP
>
> # EXTERNAL INTERFACE (ep1)
> # redirect port 80 requests to the webserver
> rdr on $EXT_IF proto { tcp, udp } from any to $EXT_IP port 80 ->
> $WEBSERVER_IP port 80
You might try removing the udp, unless you specifcally need it.

>
> # INTERNAL INTERFACE
> # redirect to internal services when people try to connect to external IP
> # webserver
> rdr on $INT_IF proto tcp from $INT_NW to $EXT_IP port 80 -> $WEBSERVER_IP
> port 80
>
> # DMZ INTERFACE (sis0)
> ###---end nat.conf---###
>
> ###---begin pf.conf---###
> # macros
> INT_IF = "fxp0"
> INT_NW = "10.10.0.0/24"
> EXT_IF = "ep1"
> EXT_IP = "xx.xx.xx.xx"
> EXT_IP_NW = "xx.xx.xx.xx/32"
> DMZ_IF = "sis0"
> DMZ_NW = "10.11.0.0/24"
> WEBSERVER_IP_NW = "10.11.0.80/32"
> ICMP_TYPES = "echoreq"
> # non-routable IPs
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>
> # scrub (normalize packets)
> scrub in all
>
> block in log all
> block out log all
>
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> # EXTERNAL INTERFACE RULES (ep1)
> # don't let any non-routable IPs in or out the external interface
> block in quick on $EXT_IF from $priv_nets to any
> block out quick on $EXT_IF from any to $priv_nets
>
> pass in on $EXT_IF inet proto icmp all icmp-type $ICMP_TYPES keep state
>
> # let connections originated from the inside out, and keep track of the
> state
> pass out on $EXT_IF proto tcp all flags S/SA modulate state
> pass out on $EXT_IF proto { udp, icmp } all keep state
>
> # webserver
> pass in log on $EXT_IF proto { tcp, udp } from any to $EXT_IP_NW port 80
> flags S/SA keep state
This rule probably should read:
pass in log on $EXT_IF proto {tcp, udp} from any to $WEBSERVER_IP_NW port 80
because these rules are evaluated after nats and rdrs are done. Obviously as
I said above, you should probably remove udp, unless you need it for a
specific service you're running, as normal web site traffic is tcp.

>
> # INTERNAL NETWORK INTERFACE RULES (fxp0)
> block in quick on $INT_IF from !$INT_NW to any
> block out quick on $INT_IF from any to !$INT_NW
>
> pass in on $INT_IF from $INT_NW to any keep state
> pass out on $INT_IF from any to $INT_NW keep state
>
> # DMZ INTERFACE (sis0)
> block in quick on $DMZ_IF from !$DMZ_NW to any
> block out quick on $DMZ_IF from any to !$DMZ_NW
>
> # block all traffic to internal network
> block in quick on $DMZ_IF from $DMZ_NW to $INT_NW
>
> pass in log on $DMZ_IF from $DMZ_NW to any keep state
> pass out log on $DMZ_IF from any to $DMZ_NW keep state
> ###---end pf.conf---###
>
>

Relevant Pages

  • Re: Firewall-1 NAT Question!
    ... I disabled NAT on my internal network object and made my own NAT rules. ... > If you are using static mode nat, did you enable the automatic ARP ...
    (comp.security.firewalls)
  • Re: moved a working network, now it doesnt work
    ... ip nat outside ... from the internal network I can ping 192.168.25.XXX ... try to traceroute locally (besides the router), ... Can you source a ping from the router to the internet (type ...
    (comp.dcom.sys.cisco)
  • Re: DNS & NAT
    ... How did you set up NAT? ... > This is a Windows 2003 server with 2 NIC cards in it. ... The servers roles are AD, DNS, VPN & NAT, Remote Access, ... > is the static address for my internal network, ...
    (microsoft.public.windows.server.dns)
  • Re: Strange PORTFORWARDING problem
    ... > domain name setup and pointing to my IP address of the webserver. ... > inside the firewall. ... Do you run a DNS server for your internal network? ... www.my_domain_name.com resolve to 192.168.0.4. ...
    (comp.os.linux.security)
  • Re: NAT vs. True Firewalls
    ... > that computers behind a NAT are just as exposed as all computers being ... from your external ethernet card into your internal network, ... your ISPs router and all the other routers out there have no ...
    (comp.security.firewalls)
Loading