Ok, i've tried but failed. Damn

[BSDfan666]

PF supports interface group names jggimi, "lo" is valid and is used in FAQ examples.

But you are right, the skip rule makes it redundant.

[jggimi]

Thanks BSDfan. I feel sheepish.


Birdmansdomain: I have just recreated your environment, with your pf.conf as posted above. It works fine.

TCP traffic from the outside destined for port 80 gets properly routed to the server, and responses get properly routed back.

My test configuration:

Workstation --- Router ---- Server

All three were running 4.5-release. (-current has changes to PF affecting scrub and require-order).

Your pf.conf was used verbatim, except for changing the NICs.

---------------------------

Server:
/etc/hostname.ne3 contained "inet 192.168.0.10/24"
/etc/mygate contained "192.168.0.1"
# nc -l 80

Router:
/etc/hostname.ne3 contained "inet 10.0.0.1/24"
/etc/hostname.ne4 contained "inet 192.168.0.1/24"
/etc/sysctl.conf contained "net.inet.ip.forwarding=1"
an empty /etc/ssh-violate was created with touch(1)
your pf.conf was enabled, with the following changes: ext_if="ne3", int_if="ne4", wifi_if="ne5"

Workstation:
/etc/hostname.ne3 contained "inet 10.0.0.2/24"
# nc 10.0.0.1 80

Two-way TCP communication was established and confirmed between nc applets on the workstation and server, through the router.

[BSDfan666]

jggimi has gone the extra mile by testing your ruleset, he has found no obvious problems.

It would seem the issue is elsewhere, one probable cause is that your ISP is filtering packets themselves... perhaps they're blocking incoming traffic on port 80.

Please try using a different port to confirm if this is the case.

[birdmansdomain]

Hmm strange.

Quote:

Server:
/etc/hostname.ne3 contained "inet 192.168.0.10/24"
/etc/mygate contained "192.168.0.1"

Maybe i need to clarify more, web server is running ubuntu there is no hostname.*. There is a hostname "phreaks-desktop" Also there is no mygate

Quote:

Router:
/etc/hostname.ne3 contained "inet 10.0.0.1/24"
/etc/hostname.ne4 contained "inet 192.168.0.1/24"
/etc/sysctl.conf contained "net.inet.ip.forwarding=1"
an empty /etc/ssh-violate was created with touch(1)
your pf.conf was enabled, with the following changes: ext_if="ne3", int_if="ne4", wifi_if="ne5"

mygate is 192.168.1.1
hostname.re0 contains inet 192.168.0.1
hostname.ral0 contains inet 192.168.1.1
Router is OpenBSD

Workstation is ubuntu as well, there is no hostname.*

Quote:

It would seem the issue is elsewhere, one probable cause is that your ISP is filtering packets themselves... perhaps they're blocking incoming traffic on port 80.

When i run tcpdump -neti pflog0 action pass i see the connection

[birdmansdomain]

BTW thanks for being so helpfull

[jggimi]

#1:
-------
Please post the output of

$ route -n show -inet

You may redact any private information, such as your Internet IP address.

I ask for your routing information, because you just stated that you have a mygate(1) file, containing incorrect information ("192.168.1.1"). Your default route should be assigned by your ISP. If your ISP connection uses DHCP, the default route will be added when you connect. If your ISP connection is static, your ISP should have provided this information.

/etc/mygate is used for static ip address configurations, and describes the default route. Perhaps, if you are using DHCP, a default route is already correctly added, then the use of an incorrect /etc/mygate just causes an error when /etc/netstart issues the route add for it. (That error should appear in /var/log/messages with each boot; you may want to look for it.)
-------
#2
-------
Run tcpdump against your internal wired network, to see if the incoming Sync packet from the Internet makes it onto the local LAN. Perhaps the source of your problem is the server at 192.168.0.10. If you see packets get sent to the server, but no valid responses, you have a server problem. If you see valid two-way traffic back and forth, then run tcpdump against your external network. On the external network, if you only see the incoming packet, but no outbound responses, you have a routing problem.

e.g.:

# tcpdump -neti re0 host 192.168.0.10
# tcpdump -neti em0 host <your remote workstation>

[jggimi]

To be clear, regarding IP routing:

• Communication between two addresses on the same subnet do not need routing; the underlying subnet protocol (usually Ethernet) provides the addressing (usually MAC), via Address Resolution Protocol (ARP). This is used between your server and your router on the 192.168.0/24 subnet, between your wireless workstations and your router on the 192.168.1/24 subnet, and betwen your router and your ISP's router, on whatever subnet your router connects to within your ISP.
• All communications that goes beyond a single subnet must be routed.
• A subnet with a single router only needs a default route: the IP address of the router on that subnet. e.g.: Your wireless workstations on 192.168.1/24 need only a default gateway of 192.168.1.1; the address of your OpenBSD router on that subnet. Your wired servers on 192.168.0/24 need only a default gateway of 192.168.0.1; the address of your OpenBSD router on that subnet.
• Your OpenBSD router is connected to three different subnets. It's default route should be to your ISPs router somewhere on the em0 subnet.

[s2scott]

Change your /etc/pf.conf per the BLUE and RED config fragments. Be careful about OBSERVING the very subtle changes (e.g. no "pass" in the rdr) and differences in keyword spellings (e.g. tag and tagged)

restart pf...

Code:

pfctl -F all -vvf pf.conf

Re-test and advise -- with ACTUAL paste of whole pf.conf. Including

Code:

tcpdump -eni pflog0

would help us help you.

Code:

ext_if="em0"
int_if="re0"
wifi_if="ral0"
local_net="{192.168.0.1/24, 192.168.1.1/24}"
server="{ 192.168.0.10/32 }"
icmp_types="echoreq"
tcp_flags="flags S/SA keep state"
table <abusers> persist

set require-order no
set skip on lo
scrub in all

nat on $ext_if from !($ext_if) -> ($ext_if:0)
# ---- start group -----
rdr on $ext_if inet proto { tcp udp } \
 from any to ($ext_if:0) port 80 tag MyWWW -> $server port 80
#
pass in log quick on $ext_if inet proto {tcp udp} \
 tagged MyWWW flags S/SA modulate state
#
pass out log quick on $int_if inet proto {tcp udp} \
 tagged MyWWW keep state
# ----- end group -----

block drop log all
block in log quick from <abusers>

pass out log on $ext_if proto tcp from any to any flags S/SA
pass out log on $ext_if proto { udp,icmp } from any to any

pass in log quick inet proto icmp all icmp-type $icmp_types
pass in log quick on $wifi_if proto tcp to ($wifi_if) port ssh $tcp_flags (max-src-conn 8, max-src-conn-rate 15/5, overload <abusers> flush global)

pass quick on { lo, $int_if, $wifi_if } # I don't write rules this way.

# antispoof quick for { lo, $int_if, $ext_if, $wifi_if } # comment out for test purposes

[birdmansdomain]

yeh your sample didnt work, i put www on firewall and didnt have to worry about rdr rule. Working great now