Since both of our OpenBSD experts are reading mail this afternoon,
let me pose the question that I sent to [EMAIL PROTECTED] earlier
today.
K<bob>
-----------------------------------------------------------------------------
I'm building a firewall/router from OpenBSD 3.0-current, and I'm using
the new pf for filtering and NAT.
I can't get the rdr statement to work right in /etc/nat.conf.
The external interface is dc0, a Macronix 98715. It is listening on 3
static IP addresses out of a /29 subnet. There are four internal
interfaces, de0-de3, on a LinkSys DFE-570TX four-port card.
The 192.168.0.0/24 net is attached to de0. I want to redirect ssh
connections from outside to host 192.168.0.4.
So I added this rule to /etc/nat.conf. (reformatted for mail)
rdr on dc0 proto tcp from any to 216.210.236.194 port ssh
-> 192.168.0.4 port ssh
It doesn't work. tcpdump shows that pf thinks it's routing packets to
de0, but they don't come out of de0. An external packet sniffer can't
see them, and of course, sshd on 192.168.0.4 doesn't get them.
Other traffic does go through de0 just fine, so it's not like the
cable isn't plugged in. (-:
What am I missing?
Thanks in advance...
Below is a typescript demonstrating the problem and showing the system
configuration.
K<bob>
------------------------------------------------------------------------------
Script started on Mon Oct 29 12:53:14 2001
fw ~> sudo ./way-too-much-info.sh
Password:
========== sniffing: sleep 60 ==========
(external host 207.189.131.4 tries to ssh to 216.210.236.194)
12:53:32.312264 dc0 (extern) arp who-has 216.210.236.194 tell 216.210.236.193
12:53:32.312305 dc0 (extern) arp reply 216.210.236.194 is-at 0:80:c6:f9:8c:6
12:53:32.312868 dc0 (extern) 207.189.131.4.7812 > 216.210.236.194.22: tcp 0 (DF)
12:53:32.312917 rule 0/0(match): pass in on dc0: 207.189.131.4.7812 > 192.168.0.4.22:
tcp 0 (DF)
12:53:32.312972 rule 1/0(match): pass out on de0: 207.189.131.4.7812 > 192.168.0.4.22:
tcp 0 (DF)
12:53:35.309094 dc0 (extern) 207.189.131.4.7812 > 216.210.236.194.22: tcp 0 (DF)
12:53:35.309176 rule 1/0(match): pass out on de0: 207.189.131.4.7812 > 192.168.0.4.22:
tcp 0 (DF)
12:53:41.306736 dc0 (extern) 207.189.131.4.7812 > 216.210.236.194.22: tcp 0 (DF)
12:53:41.306809 rule 1/0(match): pass out on de0: 207.189.131.4.7812 > 192.168.0.4.22:
tcp 0 (DF)
12:54:21.959866 de0 (intern) arp who-has 192.168.0.5 tell 192.168.0.116
========== sniffing: telnet 192.168.0.4 ssh ==========
(192.168.0.4 accepts ssh connections)
Trying 192.168.0.4...
Connected to 192.168.0.4.
Escape character is '^]'.
SSH-2.0-OpenSSH_2.9.9p2
Connection closed by foreign host.
12:54:40.417132 rule 1/0(match): pass out on de0: 192.168.0.2.44596 > 192.168.0.4.22:
tcp 0 (DF) [tos 0x10]
12:54:40.417318 de0 (intern) arp who-has 192.168.0.2 tell 192.168.0.4
12:54:40.417418 de0 (intern) 192.168.0.4.22 > 192.168.0.2.44596: tcp 0 (DF)
12:54:40.417438 rule 0/0(match): pass in on de0: 192.168.0.4.22 > 192.168.0.2.44596:
tcp 0 (DF)
12:54:40.417507 rule 1/0(match): pass out on de0: 192.168.0.2.44596 > 192.168.0.4.22:
tcp 0 (DF) [tos 0x10]
12:54:40.418928 de0 (intern) 192.168.0.4.22 > 192.168.0.2.44596: tcp 24 (DF)
12:54:40.418988 rule 0/0(match): pass in on de0: 192.168.0.4.22 > 192.168.0.2.44596:
tcp 24 (DF)
12:54:40.419641 rule 1/0(match): pass out on de0: 192.168.0.2.44596 > 192.168.0.4.22:
tcp 0 (DF) [tos 0x10]
12:54:40.419968 rule 1/0(match): pass out on de0: 192.168.0.2.44596 > 192.168.0.4.22:
tcp 0 (DF) [tos 0x10]
12:54:40.420142 de0 (intern) 192.168.0.4.22 > 192.168.0.2.44596: tcp 0 (DF)
12:54:40.420175 rule 0/0(match): pass in on de0: 192.168.0.4.22 > 192.168.0.2.44596:
tcp 0 (DF)
12:54:40.421015 de0 (intern) 192.168.0.4.22 > 192.168.0.2.44596: tcp 0 (DF)
12:54:40.421067 rule 0/0(match): pass in on de0: 192.168.0.4.22 > 192.168.0.2.44596:
tcp 0 (DF)
12:54:40.421170 rule 1/0(match): pass out on de0: 192.168.0.2.44596 > 192.168.0.4.22:
tcp 0 (DF) [tos 0x10]
========== dmesg ==========
OpenBSD 3.0-beta (GENERIC) #0: Fri Oct 19 01:59:24 PDT 2001
kbob@fw:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Celeron (Mendocino) ("GenuineIntel" 686-class, 128KB L2 cache) 468 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SYS,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 65634304 (64096K)
avail mem = 55537664 (54236K)
using 826 buffers containing 3383296 bytes (3304K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(49) BIOS, date 10/28/99, BIOS32 rev. 0 @ 0xf06b0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev. 2.1 @ 0xf0000/0xf02
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xf0e70/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB PCI-ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc0000/0x8000
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82810" rev 0x03: rng active, 9Kb/sec
vga1 at pci0 dev 1 function 0 "Intel 82810 Graphics" rev 0x03
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 "Intel 82801AA Hub-to-PCI" rev 0x02
pci1 at ppb0 bus 1
dc0 at pci1 dev 8 function 0 "Macronix PMAC 98715" rev 0x25: irq 11 address
00:80:c6:f9:8c:06
dcphy0 at dc0 phy 31: internal PHY
ppb1 at pci1 dev 9 function 0 "DEC 21152 PCI-PCI" rev 0x03
pci2 at ppb1 bus 2
de0 at pci2 dev 4 function 0 "DEC 21142/3" rev 0x41: irq 10
de0: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:95
de1 at pci2 dev 5 function 0 "DEC 21142/3" rev 0x41: irq 12
de1: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:96
de2 at pci2 dev 6 function 0 "DEC 21142/3" rev 0x41: irq 5
de2: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:97
de3 at pci2 dev 7 function 0 "DEC 21142/3" rev 0x41: irq 11
de3: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:98
pcib0 at pci0 dev 31 function 0 "Intel 82801AA LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801AA IDE" rev 0x02: DMA, channel 0 wired
to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <IBM-DTTA-371440>
wd0: 16-sector PIO, LBA, 13783MB, 16383 cyl, 16 head, 63 sec, 28229040 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 31 function 2 "Intel 82801AA USB" rev 0x02: irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82801AA SMBus" rev 0x02 at pci0 dev 31 function 3 not configured
auich0 at pci0 dev 31 function 5 "Intel 82801AA AC-97 Audio" rev 0x02: irq 10 ICH AC97
ac97: codec id 0x41445340 (Analog Devices AD1881)
ac97: codec features headphone, Analog Devices Phat Stereo
audio0 at auich0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask 4020 netmask 5c20 ttymask 5ca2
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
de0: enabling 100baseTX port
de1: enabling 10baseT port
de1: abnormal interrupt: receive process stopped
de2: autosense failed: cable problem?
de3: autosense failed: cable problem?
========== cat /etc/sysctl.conf ==========
# $OpenBSD: sysctl.conf,v 1.24 2001/08/07 14:07:47 deraadt Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time. See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)
#net.inet.tcp.rfc1323=0 # 0=disable TCP RFC1323 extensions (for if tcp is slow)
net.inet.esp.enable=1 # 0=Disable the ESP IPsec protocol
net.inet.ah.enable=1 # 0=Disable the AH IPsec protocol
#net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol
#ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
#ddb.console=1 # 1=Permit entry of ddb from the console
#fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
vm.swapencrypt.enable=1 # 1=Encrypt pages that go to swap
#vfs.nfs.iothreads=4 # number of nfsio kernel threads
#net.inet.ip.mtudisc=0 # 0=disable tcp mtu discovery
========== pfctl -s all ==========
@0 pass in log all
@1 pass out log all
@nat on dc0 from 192.168.0.0/24 to any -> 216.210.236.194
@nat on dc0 from 192.168.1.0/24 to any -> 216.210.236.195
@nat on dc0 from 192.168.2.0/24 to any -> 216.210.236.196
@rdr on dc0 proto tcp from any to 216.210.236.194/32 port 22 -> 192.168.0.4 port 22
@rdr on de1 proto tcp from any to 216.210.236.194/32 port 22 -> 192.168.0.4 port 22
@rdr on de2 proto tcp from any to 216.210.236.194/32 port 22 -> 192.168.0.4 port 22
Status: Enabled Time: 1004388888 Since: 1004380160 Debug: None
Bytes In IPv4: 0 Bytes Out: 0
IPv6: 0 Bytes Out: 0
Inbound Packets IPv4: Passed: 0 Dropped: 0
IPv6: Passed: 0 Dropped: 0
Outbound Packets IPv4: Passed: 0 Dropped: 0
IPv6: Passed: 0 Dropped: 0
States: 0
pf Counters
state searches 208792
state inserts 11
state removals 11
Counters
match 155896
bad-offset 0
fragment 0
short 0
normalize 0
memory 0
========== ifconfig -A ==========
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33224
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (10baseT)
status: active
inet 216.210.236.194 netmask 0xfffffff8 broadcast 216.210.236.199
inet6 fe80::280:c6ff:fef9:8c06%dc0 prefixlen 64 scopeid 0x1
inet 216.210.236.195 netmask 0xffffffff broadcast 216.210.236.195
inet 216.210.236.196 netmask 0xffffffff broadcast 216.210.236.196
de0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (100baseTX)
status: active
inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::280:c8ff:feb9:b195%de0 prefixlen 64 scopeid 0x2
de1: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (10baseT)
status: active
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::280:c8ff:feb9:b196%de1 prefixlen 64 scopeid 0x3
de2: flags=8c63<UP,BROADCAST,NOTRAILERS,RUNNING,OACTIVE,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::280:c8ff:feb9:b197%de2 prefixlen 64 scopeid 0x4
de3: flags=8c63<UP,BROADCAST,NOTRAILERS,RUNNING,OACTIVE,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect
inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
inet6 fe80::280:c8ff:feb9:b198%de3 prefixlen 64 scopeid 0x5
pflog0: flags=41<UP,RUNNING> mtu 33224
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=10<POINTOPOINT> mtu 3000
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
vlan0: flags=0<> mtu 1500
vlan1: flags=0<> mtu 1500
gre0: flags=8010<POINTOPOINT,MULTICAST> mtu 1450
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
========== netstat -rnfinet ==========
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 216.210.236.193 UGS 0 9 1500 dc0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 4 10 33224 lo0
192.168.0/24 link#2 UC 0 0 1500 de0
192.168.0.4 0:48:54:67:2c:4e UHL 2 37348 1500 de0
192.168.1/24 link#3 UC 0 0 1500 de1
192.168.1.103 0:30:65:2e:6:bd UHL 0 0 1500 de1
192.168.2/24 link#4 UC 0 0 1500 de2
192.168.3/24 link#5 UC 0 0 1500 de3
216.210.236.192/29 link#1 UC 0 0 1500 dc0
216.210.236.193 0:20:6f:7:df:74 UHL 1 0 1500 dc0
216.210.236.194 127.0.0.1 UGHS 0 71851 33224 lo0
216.210.236.195 127.0.0.1 UGHS 0 0 33224 lo0 =>
216.210.236.195/32 link#1 UC 0 0 1500 dc0
216.210.236.196 127.0.0.1 UGHS 0 0 33224 lo0 =>
216.210.236.196/32 link#1 UC 0 0 1500 dc0
224/4 127.0.0.1 URS 0 0 33224 lo0
========== cat way-too-much-info.sh ==========
#!/bin/sh
# Temporarily stop pflogd and bypass the packet filter.
kill `ps ax | awk '/pfl\ogd/{print $1}'`
pfctl -R - -N /etc/nat.conf <<EOF
pass in log all
pass out log all
EOF
# use: do_and_sniff comment command...
function do_and_sniff {
comment="$1"; shift
echo "\n\n\n========== sniffing: $@ ==========\n ($comment)\n"
# Start logging packets at the packet filter and at de0 and dc0.
rm -f /tmp/pf.dump /tmp/dc0.dump /tmp/de0.dump
pflogd -d 5 -D -f /tmp/pf.dump 2> /dev/null &
logdpid=$!
tcpdump -p -w /tmp/dc0.dump -i dc0 2> /dev/null &
dc0pid=$!
tcpdump -p -w /tmp/de0.dump -i de0 2> /dev/null &
de0pid=$!
sleep 2 # wait for tcpdumps to start
# Run the command.
"$@"
sleep 6 # wait for tcpdumps to finish
# Stop logging packets.
kill $logdpid $dc0pid $de0pid
sleep 2
# Show the packets. Sort by timestamp.
echo "\n"
{
tcpdump -qner /tmp/pf.dump
tcpdump -qnr /tmp/dc0.dump | sed 's/ / dc0 (extern) /'
tcpdump -qnr /tmp/de0.dump | sed 's/ / de0 (intern) /'
} | sort -n
}
# Demonstrate the problem.
do_and_sniff \
"external host 207.189.131.4 tries to ssh to 216.210.236.194" \
sleep 60
# Demonstrate that sshd on 192.168.0.4 is working.
do_and_sniff \
"192.168.0.4 accepts ssh connections" \
telnet 192.168.0.4 ssh < /dev/null
# Print various system info
function show {
echo "\n\n\n========== $@ ==========\n"
"$@"
}
show dmesg
show cat /etc/sysctl.conf
show pfctl -s all
show ifconfig -A
show netstat -rnfinet
show cat way-too-much-info.sh
# Restore packet filter and pflogd.
pfctl -R /etc/pf.conf -N /etc/nat.conf
pflogd
fw ~> exit
Script done on Mon Oct 29 12:55:41 2001
