On 10/28/2014 07:57 PM, Julian Smith wrote:
> On Tue, 28 Oct 2014 13:40:52 -0400
> trondd <tro...@gmail.com> wrote:
>
>> Are you telnetting to the external IP of the server from the internal
>> client?
> Yes. Actually i've tried using the external IP and the internal IP.
> Both have the same result - telnet says 'telnet: Unable to connect to
> remote host: Connection refused'.
>
> Telneting from an external machine works fine.
>
>> Have you enabled logging in pf? Are the packets blocked or are they passed
>> by a different rule that doesn't give the expected results?
> Yes, i've enabled logging and i see various items such as:
>
> ju...@server-55.my.domain:~ > sudo tcpdump -v -i pflog0
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> 18:51:26.909339 142-93-134-95.pool.ukrtel.net.4758 >
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
> 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc]
> (ttl 117, id 29686, len 48)
> 18:51:27.465183 142-93-134-95.pool.ukrtel.net.4758 >
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
> 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc]
> (ttl 117, id 29765, len 48)
> 18:51:27.909397 142-93-134-95.pool.ukrtel.net.4758 >
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
> 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc]
> (ttl 117, id 29841, len 48)
>
> But i don't see anything when the internal
> connection is refused.
>
> I enabled logging with:
>
> sudo ifconfig pflog0 up
> sudo tcpdump -v -i pflog0
>
> For completeness, here's my pf.conf:
>
> ========
> int_if="sk0"
> ext_if="rl0"
>
> tcp_services="{ 22, 80, 113 }"
> icmp_types="echoreq"
>
> # options
>
> set block-policy return
> set loginterface egress
> set skip on lo
>
> # match rules
>
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> # filter rules
>
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
> port $tcp_services
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> # Redirect Undo keyserver connections to pc5:
> pass in on egress proto tcp from any to any port 5281 rdr-to pc5 port 5281
>
> # Attempting to allow 5281 to forward to pc5 from internal network. But
> doesn't
> # work...
> pass in on $int_if proto tcp from $int_if:network to $ext_if port 5281 rdr-to
> pc5
> pass out on $int_if proto tcp to pc5 port 5281 received-on $int_if nat-to
> $int_if
> #pass out on egress proto tcp from any to any port 5281 received-on $int_if
> nat-to $int_if
>
> pass in on $int_if
>
> # for our ftp server.
> pass in on egress proto tcp to port 21
> pass in on egress proto tcp to port > 49151
>
> pass in on rl0 proto tcp to port 21
> pass in on rl0 proto tcp to port > 49151
> ========
>
>
> Many thanks,
>
> - Julian
>
You can try the match keyword to redirect and then pass rule
Didn't try and long time I havn't wrote pf rule, but you can try
something like that:
# change the dest ip of any packet from 5281 to pc5
match in on $ext_if inet proto tcp from port 5281 rdr-to pc5
...
pass on egress inet proto tcp from port 5281
