No redirection pass with one interface ?

[Simon]

Hi,

I m doing some tests with my virtualbox machine.
I use a virtual machine with only one interface. (I use OpenBSD 4.6)
I try to redirect all webpage to my website.
But my rdr pass on... doesnt' work.
Perhaps, it works with more than one interface. ?
When i do pfctl -nf /etc/pf.conf : no errors
i can go to my website, ping works.
But redirection doesn't work for example, when i type :
lynx www.google.fr, it doesn't send me to my website.
can you help me ?

here my pf ruleset
---------------------

Code:

me="egress:network"
mywebsite="www.mywebsite.com"
set skip on lo
set drop policy drop
match in scrub all (no-df max-mss 1440)
rdr pass on egress proto tcp from $me to ! $mywebsite \
                 port 80 -> $mywebsite port 80
block log all
pass out on egress proto icmp all icmp-type { echoreq unreach }
pass out on egress proto tcp from $me to $mywebsite port 80

[jggimi]

Your redirect rule is not working for any number of reasons. One of those possibilities is requiring DNS to be operative before your rules are loaded at boot time. Look at the output of # pfctl -s rules to see if you've got the IP address resolved after a standard boot. Depending on how DNS is configured in your environment, this could be a problem.

Another possibility is that you have not enabled IPv4 packet forwarding. It's a sysctl.

I also note you are using an external IP address instead of 127.0.0.1 for your redirect. While it may work with a NIC address, you will gain greater efficiencies through the loopback interface.

Here's a real world example that only permits authenticated WiFi users (authpf, IPSec, or in a table of guest uses) to go on the web. Everyone else gets a page delivered from virtual host on the webserver with an unauthorized usage message. The syntax is a little different as this is -current:

Code:

# redirect unauthorized IP users to a local web page.  This includes both
# the approved addresses in tables, as well as IPSec traffic.
#
pass log quick proto tcp from {<authpf_users> <guests> <wired>} to any port www
pass log quick proto tcp from any to any port www tagged ipsec
pass in log quick proto tcp from $internal_net to any port www \
    rdr-to 127.0.0.1 port 8080

[Simon]

IPV4 forwarding is not enabled in my sysctl config, i use only one interface, it is not necessary to enable that.
pfctl -s rules, i can see my public address ip in rules.
But my redirection still not works.

[jggimi]

The section of the PF FAQ on Redirection and Reflection says (highlight mine):

Quote:

...redirection rules apply only to packets that pass through the specified interface....Connecting to the external address...does not mean the packets will actually pass through its external interface. The TCP/IP stack on the firewall compares the destination address of incoming packets with its own addresses and aliases and detects connections to itself as soon as they have passed the internal interface. Such packets do not physically pass through the external interface, and the stack does not simulate such a passage in any way. Thus, PF never sees these packets on the external interface, and the redirection rule, specifying the external interface, does not apply.

What I would do, if I were you: use the loopback interface. If that alone does not solve the problem, then enable packet forwarding, and see if it makes a difference.

If both of those things do not help, then your next step is to trace your rules with tcpdump(8) and pflog(4), as described in the PF FAQ's chapter on logging.

[Simon]

thank you.

[J65nko]

1. I wonder how you can visit your website when you are not allowing out DNS traffic (udp) on port 53
   
   Code:

   block log all
   pass out on egress proto icmp all icmp-type { echoreq unreach }
   pass out on egress proto tcp from $me to $mywebsite port 80

2. You are interpreting the directions as seen by pf, not correctly
   
   pf sees the directions IN and OUT like this diagram
   Code:

      INTERNET
          |
          |
    OUT   |      IN 
     |    |      |
    /|\   |      |
     |    |     \|/
     |    |      |
   -------|------------
         pppoe
     11.22.33.44
   
   ---------------------

   That is why your redirection will never take place

[Simon]

Sorry (to J65nko), i forget to write a line (not in the virtual machine) :
pass out on egress proto udp from $me to any port domain

[Simon]

i don't understand why it doesn't work.

my pf.conf :
--------------
me="egress:network"
mywebsite="www.mywebsite.com"
set skip on lo
set drop policy drop
match in scrub all (no-df max-mss 1440)
rdr pass on egress proto tcp from $me to ! $mywebsite \
port 80 -> $mywebsite port 80
block log all
pass out on egress proto icmp all icmp-type { echoreq unreach }
pass out on egress proto udp from $me to any port domain
pass out on egress proto tcp from $me to $mywebsite port 80

[Simon]

...After a long time...

It never works because i use the openbsd box has a workstation so there's no traffic IN (i let only out : ping, domain port, 80 (monsite)); when i use Lynx on the box, i do only traffic out, isn't it ?
Conclusion:
My rdr line is useless. Is there a way to accomplish what i want to do? Implement squid ?

[jggimi]

Since we don't know what it is you are actually trying to do.... perhaps you could actually explain it.

Did you try my recommendation of using 127.0.0.1 instead of $mywebsite? I only recommended it two or three times.

[Simon]

To Jggimi :
I have already done "website redirection" using rdr rules with firewall for companies, it works fine. Now i want only for "test", try to do the same thing but on an OpenBSD machine as a workstation (only one interface). I tried 127.0.0.1 instead of $mywebsite, it doesn't work, i have the same mistake, the rdr line is not used.

I continue to think that :
It never works because i use the openbsd box has a workstation so there's no traffic IN (i let only out : ping, domain port, 80 (monsite)); when i use Lynx on the box, i do only traffic out.

[J65nko]

Quote:

Originally Posted by Simon

I continue to think that :
It never works because i use the openbsd box has a workstation so there's no traffic IN (i let only out : ping, domain port, 80 (monsite)); when i use Lynx on the box, i do only traffic out.

That is exactly what I pointed out in http://www.daemonforums.org/showthre...4476#post30568.