On Tue, 28 Oct 2014 13:40:52 -0400
trondd <tro...@gmail.com> wrote:
> Are you telnetting to the external IP of the server from the internal
> client?
Yes. Actually i've tried using the external IP and the internal IP.
Both have the same result - telnet says 'telnet: Unable to connect to
remote host: Connection refused'.
Telneting from an external machine works fine.
>
> Have you enabled logging in pf? Are the packets blocked or are they passed
> by a different rule that doesn't give the expected results?
Yes, i've enabled logging and i see various items such as:
ju...@server-55.my.domain:~ > sudo tcpdump -v -i pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
18:51:26.909339 142-93-134-95.pool.ukrtel.net.4758 >
82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc]
(ttl 117, id 29686, len 48)
18:51:27.465183 142-93-134-95.pool.ukrtel.net.4758 >
82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc]
(ttl 117, id 29765, len 48)
18:51:27.909397 142-93-134-95.pool.ukrtel.net.4758 >
82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc]
(ttl 117, id 29841, len 48)
But i don't see anything when the internal
connection is refused.
I enabled logging with:
sudo ifconfig pflog0 up
sudo tcpdump -v -i pflog0
For completeness, here's my pf.conf:
========
int_if="sk0"
ext_if="rl0"
tcp_services="{ 22, 80, 113 }"
icmp_types="echoreq"
# options
set block-policy return
set loginterface egress
set skip on lo
# match rules
match out on egress inet from !(egress:network) to any nat-to (egress:0)
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
# Redirect Undo keyserver connections to pc5:
pass in on egress proto tcp from any to any port 5281 rdr-to pc5 port 5281
# Attempting to allow 5281 to forward to pc5 from internal network. But doesn't
# work...
pass in on $int_if proto tcp from $int_if:network to $ext_if port 5281 rdr-to
pc5
pass out on $int_if proto tcp to pc5 port 5281 received-on $int_if nat-to
$int_if
#pass out on egress proto tcp from any to any port 5281 received-on $int_if
nat-to $int_if
pass in on $int_if
# for our ftp server.
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port > 49151
pass in on rl0 proto tcp to port 21
pass in on rl0 proto tcp to port > 49151
========
Many thanks,
- Julian
--
http://op59.net
