On 10/28/2014 07:57 PM, Julian Smith wrote: > On Tue, 28 Oct 2014 13:40:52 -0400 > trondd <tro...@gmail.com> wrote: > >> Are you telnetting to the external IP of the server from the internal >> client? > Yes. Actually i've tried using the external IP and the internal IP. > Both have the same result - telnet says 'telnet: Unable to connect to > remote host: Connection refused'. > > Telneting from an external machine works fine. > >> Have you enabled logging in pf? Are the packets blocked or are they passed >> by a different rule that doesn't give the expected results? > Yes, i've enabled logging and i see various items such as: > > ju...@server-55.my.domain:~ > sudo tcpdump -v -i pflog0 > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > 18:51:26.909339 142-93-134-95.pool.ukrtel.net.4758 > > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] > 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] > (ttl 117, id 29686, len 48) > 18:51:27.465183 142-93-134-95.pool.ukrtel.net.4758 > > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] > 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] > (ttl 117, id 29765, len 48) > 18:51:27.909397 142-93-134-95.pool.ukrtel.net.4758 > > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] > 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] > (ttl 117, id 29841, len 48) > > But i don't see anything when the internal > connection is refused. > > I enabled logging with: > > sudo ifconfig pflog0 up > sudo tcpdump -v -i pflog0 > > For completeness, here's my pf.conf: > > ======== > int_if="sk0" > ext_if="rl0" > > tcp_services="{ 22, 80, 113 }" > icmp_types="echoreq" > > # options > > set block-policy return > set loginterface egress > set skip on lo > > # match rules > > match out on egress inet from !(egress:network) to any nat-to (egress:0) > > # filter rules > > block in log > pass out quick > > antispoof quick for { lo $int_if } > > pass in on egress inet proto tcp from any to (egress) \ > port $tcp_services > > pass in inet proto icmp all icmp-type $icmp_types > > # Redirect Undo keyserver connections to pc5: > pass in on egress proto tcp from any to any port 5281 rdr-to pc5 port 5281 > > # Attempting to allow 5281 to forward to pc5 from internal network. But > doesn't > # work... > pass in on $int_if proto tcp from $int_if:network to $ext_if port 5281 rdr-to > pc5 > pass out on $int_if proto tcp to pc5 port 5281 received-on $int_if nat-to > $int_if > #pass out on egress proto tcp from any to any port 5281 received-on $int_if > nat-to $int_if > > pass in on $int_if > > # for our ftp server. > pass in on egress proto tcp to port 21 > pass in on egress proto tcp to port > 49151 > > pass in on rl0 proto tcp to port 21 > pass in on rl0 proto tcp to port > 49151 > ======== > > > Many thanks, > > - Julian >
You can try the match keyword to redirect and then pass rule Didn't try and long time I havn't wrote pf rule, but you can try something like that: # change the dest ip of any packet from 5281 to pc5 match in on $ext_if inet proto tcp from port 5281 rdr-to pc5 ... pass on egress inet proto tcp from port 5281