PF wont open port despite rules... [Archive]

View Full Version : PF wont open port despite rules...

Dain_L

06-24-2008, 05:49 AM

Hello,

I just dont get it. I have a PF firewall on my DSL connection with 3 internal network interfaces. On one of the internal networks (LNETTR) theres a web server and a smtp server.

However; despite redirections and filtering rules it doesn't work. The ports redirected does not open. If I scan myself all ports are still STEALTH.
Web surf and any outgoing traffic I allow works perfectly.

Any help would be appreciated.
Thnx in advance.

/U

# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $

# 1. Macros
lo_if = "lo0"

ext_if = "rl0"

UNET_if = "vr0"
UNET_network = "10.20.0.32/27"

LNETTR_if = "rl1"
LNETTR_network = "10.20.0.64/27"

# PUBNET_if = "rl2"
# PUBNET_network "10.20.0.96/27"

internal_networks = "{ 10.20.0.32/27, 10.20.0.64/27 }"
reserved_networks = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

tcpservices = "{ 22, 21, 25, 80, 443, 1863, 5190 }"
udpservices = "{ 53 }"

# 2. Tables
# Tomt.

# 3. Options
set limit { states 50000, frags 50000 }
set block-policy drop
set optimization aggressive
# set loginterface $ext_if
set skip on $lo_if

# 4. Packet normalization
scrub in all

# 5. Queueing

# 6. Translation
nat on $ext_if from $internal_networks -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $UNET_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr pass on $LNETTR_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# rdr pass on $PUBNET_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> <server ip> port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> <server ip> port 25
rdr on $ext_if proto tcp from any to ($ext_if) port 53 -> <server ip> port 53

# 7. Filtering

block in all
block out all

block in quick on $ext_if from $reserved_networks to any
block out quick on $ext_if from any to $reserved_networks
block return in log quick on $UNET_if proto tcp from ! x.x.x.x to $UNET_if port 22

pass in on {$UNET_if, $LNETTR_if} proto tcp from $internal_networks to any port $tcpservices
pass in on {$UNET_if, $LNETTR_if} proto udp from $internal_networks to any port $udpservices

pass in on $ext_if proto tcp from any to ($ext_if) port 80 synproxy state
pass in on $ext_if proto tcp from any to ($ext_if) port 25

pass out on $LNETTR_if all
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

anchor "ftp-proxy/*"
antispoof for { $ext_if, $UNET_if, $LNETTR_if }

#EOF

jggimi

06-24-2008, 04:41 PM

Step 0: Make sure all pass and block rules log their actions.

Step 1. Make sure net.inet.ip.forwarding=1.

Step 2. Use "# tcpdump -neti pflog0" to see what rule # is blocking

Step 3. Use "# pfctl -vvsr" to see match the number to the rule"

Lather. Rinse. Repeat.

halber_mensch

06-24-2008, 08:54 PM

Are you testing from inside or outside your network? Be sure to read the relevant section of the pf documentation regarding redirection and reflection (http://www.openbsd.org/faq/pf/rdr.html)

...
rdr on $ext_if proto tcp from any to $ext_if port 80 -> $server \
port 80

But when the redirection rule is tested from a client on the LAN, it doesn't work. The reason is that redirection rules apply only to packets that pass through the specified interface ($ext_if, the external interface, in the example). Connecting to the external address of the firewall from a host on the LAN, however, does not mean the packets will actually pass through its external interface. The TCP/IP stack on the firewall compares the destination address of incoming packets with its own addresses and aliases and detects connections to itself as soon as they have passed the internal interface. Such packets do not physically pass through the external interface, and the stack does not simulate such a passage in any way. Thus, PF never sees these packets on the external interface, and the redirection rule, specifying the external interface, does not apply.

s2scott

09-12-2008, 02:14 AM

#
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> <server ip> port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> <server ip> port 25
#
pass in on $ext_if proto tcp from any to ($ext_if) port 80 synproxy state # <- this rule, as written, will NEVER be true because the rdr re-write has occurred.
pass in on $ext_if proto tcp from any to ($ext_if) port 25
#rdr action occurs first and changes the packet's dest to <server_ip> from ($ext_if); therefore, the working rdr-pass pair is as follows

#
rdr on $ext_if inet proto tcp \
from any to ($ext_if) port 80 -> <server ip> port 80
#
pass in on $ext_if inet proto tcp \
from any to <server_ip> port 80 synproxy state
#And, imo, I prefer using tag/tagged and let pf keep track of the ip-addr-in-motion...

#
rdr on $ext_if inet proto tcp \
from any to ($ext_if) port 80 tag OKHTTP -> <server ip> port 80
#
pass in on $ext_if inet proto tcp \
tagged OKHTTP synproxy state
#
pass out on $LNETTR_if inet proto tcp \
tagged OKHTTP keep state
#