Also, have you read this? this demonstrates a slight difference in pf from ipf... http://marc.theaimsgroup.com/?l=openbsd-tech&m=100220976320265&w=2
TimH > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Bob Miller > Sent: Monday, October 29, 2001 4:08 PM > To: [EMAIL PROTECTED] > Subject: [EUG-LUG:3514] Can't get pf rdr to work. > > > Since both of our OpenBSD experts are reading mail this afternoon, > let me pose the question that I sent to [EMAIL PROTECTED] earlier > today. > > K<bob> > > -------------------------------------------------------------- > --------------- > I'm building a firewall/router from OpenBSD 3.0-current, and I'm using > the new pf for filtering and NAT. > > I can't get the rdr statement to work right in /etc/nat.conf. > > The external interface is dc0, a Macronix 98715. It is listening on 3 > static IP addresses out of a /29 subnet. There are four internal > interfaces, de0-de3, on a LinkSys DFE-570TX four-port card. > > The 192.168.0.0/24 net is attached to de0. I want to redirect ssh > connections from outside to host 192.168.0.4. > > So I added this rule to /etc/nat.conf. (reformatted for mail) > > rdr on dc0 proto tcp from any to 216.210.236.194 port ssh > -> 192.168.0.4 port ssh > > It doesn't work. tcpdump shows that pf thinks it's routing packets to > de0, but they don't come out of de0. An external packet sniffer can't > see them, and of course, sshd on 192.168.0.4 doesn't get them. > > Other traffic does go through de0 just fine, so it's not like the > cable isn't plugged in. (-: > > What am I missing? > > Thanks in advance... > > Below is a typescript demonstrating the problem and showing the system > configuration. > > K<bob> > > -------------------------------------------------------------- > ---------------- > Script started on Mon Oct 29 12:53:14 2001 > fw ~> sudo ./way-too-much-info.sh > Password: > > > > ========== sniffing: sleep 60 ========== > (external host 207.189.131.4 tries to ssh to > 216.210.236.194) > > > > 12:53:32.312264 dc0 (extern) arp who-has 216.210.236.194 tell > 216.210.236.193 > 12:53:32.312305 dc0 (extern) arp reply 216.210.236.194 is-at > 0:80:c6:f9:8c:6 > 12:53:32.312868 dc0 (extern) 207.189.131.4.7812 > > 216.210.236.194.22: tcp 0 (DF) > 12:53:32.312917 rule 0/0(match): pass in on dc0: > 207.189.131.4.7812 > 192.168.0.4.22: tcp 0 (DF) > 12:53:32.312972 rule 1/0(match): pass out on de0: > 207.189.131.4.7812 > 192.168.0.4.22: tcp 0 (DF) > 12:53:35.309094 dc0 (extern) 207.189.131.4.7812 > > 216.210.236.194.22: tcp 0 (DF) > 12:53:35.309176 rule 1/0(match): pass out on de0: > 207.189.131.4.7812 > 192.168.0.4.22: tcp 0 (DF) > 12:53:41.306736 dc0 (extern) 207.189.131.4.7812 > > 216.210.236.194.22: tcp 0 (DF) > 12:53:41.306809 rule 1/0(match): pass out on de0: > 207.189.131.4.7812 > 192.168.0.4.22: tcp 0 (DF) > 12:54:21.959866 de0 (intern) arp who-has 192.168.0.5 tell > 192.168.0.116 > > > > ========== sniffing: telnet 192.168.0.4 ssh ========== > (192.168.0.4 accepts ssh connections) > > Trying 192.168.0.4... > Connected to 192.168.0.4. > Escape character is '^]'. > SSH-2.0-OpenSSH_2.9.9p2 > Connection closed by foreign host. > > > 12:54:40.417132 rule 1/0(match): pass out on de0: > 192.168.0.2.44596 > 192.168.0.4.22: tcp 0 (DF) [tos 0x10] > 12:54:40.417318 de0 (intern) arp who-has 192.168.0.2 tell 192.168.0.4 > 12:54:40.417418 de0 (intern) 192.168.0.4.22 > > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.417438 rule 0/0(match): pass in on de0: > 192.168.0.4.22 > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.417507 rule 1/0(match): pass out on de0: > 192.168.0.2.44596 > 192.168.0.4.22: tcp 0 (DF) [tos 0x10] > 12:54:40.418928 de0 (intern) 192.168.0.4.22 > > 192.168.0.2.44596: tcp 24 (DF) > 12:54:40.418988 rule 0/0(match): pass in on de0: > 192.168.0.4.22 > 192.168.0.2.44596: tcp 24 (DF) > 12:54:40.419641 rule 1/0(match): pass out on de0: > 192.168.0.2.44596 > 192.168.0.4.22: tcp 0 (DF) [tos 0x10] > 12:54:40.419968 rule 1/0(match): pass out on de0: > 192.168.0.2.44596 > 192.168.0.4.22: tcp 0 (DF) [tos 0x10] > 12:54:40.420142 de0 (intern) 192.168.0.4.22 > > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.420175 rule 0/0(match): pass in on de0: > 192.168.0.4.22 > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.421015 de0 (intern) 192.168.0.4.22 > > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.421067 rule 0/0(match): pass in on de0: > 192.168.0.4.22 > 192.168.0.2.44596: tcp 0 (DF) > 12:54:40.421170 rule 1/0(match): pass out on de0: > 192.168.0.2.44596 > 192.168.0.4.22: tcp 0 (DF) [tos 0x10] > > > > ========== dmesg ========== > > OpenBSD 3.0-beta (GENERIC) #0: Fri Oct 19 01:59:24 PDT 2001 > kbob@fw:/usr/src/sys/arch/i386/compile/GENERIC > cpu0: Intel Celeron (Mendocino) ("GenuineIntel" 686-class, > 128KB L2 cache) 468 MHz > cpu0: > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SYS,MTRR,PGE,MCA,CMOV,PAT,P > SE36,MMX,FXSR > real mem = 65634304 (64096K) > avail mem = 55537664 (54236K) > using 826 buffers containing 3383296 bytes (3304K) of memory > mainbus0 (root) > bios0 at mainbus0: AT/286+(49) BIOS, date 10/28/99, BIOS32 > rev. 0 @ 0xf06b0 > apm0 at bios0: Power Management spec V1.2 > apm0: AC on, battery charge unknown > pcibios0 at bios0: rev. 2.1 @ 0xf0000/0xf02 > pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xf0e70/144 (7 entries) > pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB > PCI-ISA" rev 0x00) > pcibios0: PCI bus #2 is the last bus > bios0: ROM list: 0xc0000/0x8000 > pci0 at mainbus0 bus 0: configuration mode 1 (no bios) > pchb0 at pci0 dev 0 function 0 "Intel 82810" rev 0x03: rng > active, 9Kb/sec > vga1 at pci0 dev 1 function 0 "Intel 82810 Graphics" rev 0x03 > wsdisplay0 at vga1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > ppb0 at pci0 dev 30 function 0 "Intel 82801AA Hub-to-PCI" rev 0x02 > pci1 at ppb0 bus 1 > dc0 at pci1 dev 8 function 0 "Macronix PMAC 98715" rev 0x25: > irq 11 address 00:80:c6:f9:8c:06 > dcphy0 at dc0 phy 31: internal PHY > ppb1 at pci1 dev 9 function 0 "DEC 21152 PCI-PCI" rev 0x03 > pci2 at ppb1 bus 2 > de0 at pci2 dev 4 function 0 "DEC 21142/3" rev 0x41: irq 10 > de0: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:95 > de1 at pci2 dev 5 function 0 "DEC 21142/3" rev 0x41: irq 12 > de1: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:96 > de2 at pci2 dev 6 function 0 "DEC 21142/3" rev 0x41: irq 5 > de2: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:97 > de3 at pci2 dev 7 function 0 "DEC 21142/3" rev 0x41: irq 11 > de3: 21143 [10-100Mb/s] pass 4.1 address 00:80:c8:b9:b1:98 > pcib0 at pci0 dev 31 function 0 "Intel 82801AA LPC" rev 0x02 > pciide0 at pci0 dev 31 function 1 "Intel 82801AA IDE" rev > 0x02: DMA, channel 0 wired to compatibility, channel 1 wired > to compatibility > wd0 at pciide0 channel 0 drive 0: <IBM-DTTA-371440> > wd0: 16-sector PIO, LBA, 13783MB, 16383 cyl, 16 head, 63 sec, > 28229040 sectors > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 > uhci0 at pci0 dev 31 function 2 "Intel 82801AA USB" rev 0x02: irq 5 > usb0 at uhci0: USB revision 1.0 > uhub0 at usb0 > uhub0: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 > uhub0: 2 ports with 2 removable, self powered > "Intel 82801AA SMBus" rev 0x02 at pci0 dev 31 function 3 not > configured > auich0 at pci0 dev 31 function 5 "Intel 82801AA AC-97 Audio" > rev 0x02: irq 10 ICH AC97 > ac97: codec id 0x41445340 (Analog Devices AD1881) > ac97: codec features headphone, Analog Devices Phat Stereo > audio0 at auich0 > isa0 at pcib0 > isadma0 at isa0 > pckbc0 at isa0 port 0x60/5 > pckbd0 at pckbc0 (kbd slot) > pckbc0: using irq 1 for kbd slot > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pcppi0 at isa0 port 0x61 > midi0 at pcppi0: <PC speaker> > sysbeep0 at pcppi0 > lpt0 at isa0 port 0x378/4 irq 7 > npx0 at isa0 port 0xf0/16: using exception 16 > pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo > biomask 4020 netmask 5c20 ttymask 5ca2 > pctr: 686-class user-level performance counters enabled > mtrr: Pentium Pro MTRR support > dkcsum: wd0 matched BIOS disk 80 > root on wd0a > rootdev=0x0 rrootdev=0x300 rawdev=0x302 > de0: enabling 100baseTX port > de1: enabling 10baseT port > de1: abnormal interrupt: receive process stopped > de2: autosense failed: cable problem? > de3: autosense failed: cable problem? > > > > ========== cat /etc/sysctl.conf ========== > > # $OpenBSD: sysctl.conf,v 1.24 2001/08/07 14:07:47 deraadt Exp $ > # > # This file contains a list of sysctl options the user wants set at > # boot time. See sysctl(3) and sysctl(8) for more information on > # the many available variables. > # > net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) > of packets > #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) > of packets > #net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf > (forwarding must be 0) > #net.inet.tcp.rfc1323=0 # 0=disable TCP RFC1323 > extensions (for if tcp is slow) > net.inet.esp.enable=1 # 0=Disable the ESP IPsec protocol > net.inet.ah.enable=1 # 0=Disable the AH IPsec protocol > #net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol > #ddb.panic=0 # 0=Do not drop into ddb on a > kernel panic > #ddb.console=1 # 1=Permit entry of ddb > from the console > #fs.posix.setuid=0 # 0=Traditional BSD chown() semantics > vm.swapencrypt.enable=1 # 1=Encrypt pages that > go to swap > #vfs.nfs.iothreads=4 # number of nfsio kernel threads > #net.inet.ip.mtudisc=0 # 0=disable tcp mtu discovery > > > > ========== pfctl -s all ========== > > @0 pass in log all > @1 pass out log all > @nat on dc0 from 192.168.0.0/24 to any -> 216.210.236.194 > @nat on dc0 from 192.168.1.0/24 to any -> 216.210.236.195 > @nat on dc0 from 192.168.2.0/24 to any -> 216.210.236.196 > @rdr on dc0 proto tcp from any to 216.210.236.194/32 port 22 > -> 192.168.0.4 port 22 > @rdr on de1 proto tcp from any to 216.210.236.194/32 port 22 > -> 192.168.0.4 port 22 > @rdr on de2 proto tcp from any to 216.210.236.194/32 port 22 > -> 192.168.0.4 port 22 > Status: Enabled Time: 1004388888 Since: 1004380160 Debug: None > Bytes In IPv4: 0 Bytes Out: 0 > IPv6: 0 Bytes Out: 0 > Inbound Packets IPv4: Passed: 0 Dropped: 0 > IPv6: Passed: 0 Dropped: 0 > Outbound Packets IPv4: Passed: 0 Dropped: 0 > IPv6: Passed: 0 Dropped: 0 > States: 0 > pf Counters > state searches 208792 > state inserts 11 > state removals 11 > Counters > match 155896 > bad-offset 0 > fragment 0 > short 0 > normalize 0 > memory 0 > > > > ========== ifconfig -A ========== > > lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33224 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224 > dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > media: Ethernet autoselect (10baseT) > status: active > inet 216.210.236.194 netmask 0xfffffff8 broadcast > 216.210.236.199 > inet6 fe80::280:c6ff:fef9:8c06%dc0 prefixlen 64 scopeid 0x1 > inet 216.210.236.195 netmask 0xffffffff broadcast > 216.210.236.195 > inet 216.210.236.196 netmask 0xffffffff broadcast > 216.210.236.196 > de0: > flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > media: Ethernet autoselect (100baseTX) > status: active > inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255 > inet6 fe80::280:c8ff:feb9:b195%de0 prefixlen 64 scopeid 0x2 > de1: > flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > media: Ethernet autoselect (10baseT) > status: active > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > inet6 fe80::280:c8ff:feb9:b196%de1 prefixlen 64 scopeid 0x3 > de2: > flags=8c63<UP,BROADCAST,NOTRAILERS,RUNNING,OACTIVE,SIMPLEX,MUL > TICAST> mtu 1500 > media: Ethernet autoselect > inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 > inet6 fe80::280:c8ff:feb9:b197%de2 prefixlen 64 scopeid 0x4 > de3: > flags=8c63<UP,BROADCAST,NOTRAILERS,RUNNING,OACTIVE,SIMPLEX,MUL > TICAST> mtu 1500 > media: Ethernet autoselect > inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255 > inet6 fe80::280:c8ff:feb9:b198%de3 prefixlen 64 scopeid 0x5 > pflog0: flags=41<UP,RUNNING> mtu 33224 > sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296 > sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296 > ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > tun0: flags=10<POINTOPOINT> mtu 3000 > tun1: flags=10<POINTOPOINT> mtu 3000 > enc0: flags=0<> mtu 1536 > bridge0: flags=0<> mtu 1500 > bridge1: flags=0<> mtu 1500 > vlan0: flags=0<> mtu 1500 > vlan1: flags=0<> mtu 1500 > gre0: flags=8010<POINTOPOINT,MULTICAST> mtu 1450 > gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 > gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 > gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 > gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 > > > > ========== netstat -rnfinet ========== > > Routing tables > > Internet: > Destination Gateway Flags Refs Use > Mtu Interface > default 216.210.236.193 UGS 0 9 > 1500 dc0 > 127/8 127.0.0.1 UGRS 0 0 > 33224 lo0 > 127.0.0.1 127.0.0.1 UH 4 10 > 33224 lo0 > 192.168.0/24 link#2 UC 0 0 > 1500 de0 > 192.168.0.4 0:48:54:67:2c:4e UHL 2 37348 > 1500 de0 > 192.168.1/24 link#3 UC 0 0 > 1500 de1 > 192.168.1.103 0:30:65:2e:6:bd UHL 0 0 > 1500 de1 > 192.168.2/24 link#4 UC 0 0 > 1500 de2 > 192.168.3/24 link#5 UC 0 0 > 1500 de3 > 216.210.236.192/29 link#1 UC 0 0 > 1500 dc0 > 216.210.236.193 0:20:6f:7:df:74 UHL 1 0 > 1500 dc0 > 216.210.236.194 127.0.0.1 UGHS 0 71851 > 33224 lo0 > 216.210.236.195 127.0.0.1 UGHS 0 0 > 33224 lo0 => > 216.210.236.195/32 link#1 UC 0 0 > 1500 dc0 > 216.210.236.196 127.0.0.1 UGHS 0 0 > 33224 lo0 => > 216.210.236.196/32 link#1 UC 0 0 > 1500 dc0 > 224/4 127.0.0.1 URS 0 0 > 33224 lo0 > > > > ========== cat way-too-much-info.sh ========== > > #!/bin/sh > > # Temporarily stop pflogd and bypass the packet filter. > > kill `ps ax | awk '/pfl\ogd/{print $1}'` > pfctl -R - -N /etc/nat.conf <<EOF > pass in log all > pass out log all > EOF > > # use: do_and_sniff comment command... > > function do_and_sniff { > > comment="$1"; shift > echo "\n\n\n========== sniffing: $@ ==========\n > ($comment)\n" > > # Start logging packets at the packet filter and at de0 and dc0. > > rm -f /tmp/pf.dump /tmp/dc0.dump /tmp/de0.dump > pflogd -d 5 -D -f /tmp/pf.dump 2> /dev/null & > logdpid=$! > tcpdump -p -w /tmp/dc0.dump -i dc0 2> /dev/null & > dc0pid=$! > tcpdump -p -w /tmp/de0.dump -i de0 2> /dev/null & > de0pid=$! > sleep 2 # wait for tcpdumps to start > > # Run the command. > > "$@" > sleep 6 # wait for tcpdumps to finish > > # Stop logging packets. > > kill $logdpid $dc0pid $de0pid > sleep 2 > > # Show the packets. Sort by timestamp. > > echo "\n" > { > tcpdump -qner /tmp/pf.dump > tcpdump -qnr /tmp/dc0.dump | sed 's/ / dc0 (extern) /' > tcpdump -qnr /tmp/de0.dump | sed 's/ / de0 (intern) /' > } | sort -n > } > > # Demonstrate the problem. > > do_and_sniff \ > "external host 207.189.131.4 tries to ssh to 216.210.236.194" \ > sleep 60 > > # Demonstrate that sshd on 192.168.0.4 is working. > > do_and_sniff \ > "192.168.0.4 accepts ssh connections" \ > telnet 192.168.0.4 ssh < /dev/null > > # Print various system info > > function show { > echo "\n\n\n========== $@ ==========\n" > "$@" > } > > show dmesg > show cat /etc/sysctl.conf > show pfctl -s all > show ifconfig -A > show netstat -rnfinet > show cat way-too-much-info.sh > > # Restore packet filter and pflogd. > > pfctl -R /etc/pf.conf -N /etc/nat.conf > pflogd > > fw ~> exit > > Script done on Mon Oct 29 12:55:41 2001 >
