Hello
I have a small 5 year old home router (upgraded to OpenBSD 6.8 stable)
with a static white IP from my internet provider (gotten by dhcp) and a
simple http/https server (OpenBSD httpd) in my network using VirtualBox
VM (OpenBSD 6.8) which has a static IP 192.168.1.102.
The http server is available from the internal network on http and https
ports when 192.168.1.102 is used.
To make the http server work from outside I'm trying to use the
following PF rule on my router:
...
web_server = "192.168.1.102"
web_ports = "{ http https }"...
...
# Web-server
pass in log on egress inet proto tcp \
from !<bad_ips> to (egress) port $web_ports \
rdr-to $web_server
The problem is that only port 80 seems to be open from the outside.
I used several online port scanners to check this.
All of them tell:
port 80 OPEN
port 443 CLOSED
The whole ruleset is below:
__________________________________________________________________________
"""
router root ~ # grep -v '^#' /etc/pf.conf
int_if = "{ vether1 em1 em3 athn0 }"
beeline_tv = "{ em0 em2 }"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.2.0/24 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
}
table <bad_ips> persist file "/etc/pf/bad_ip"
asterisk_server = "192.168.1.101"
web_server = "192.168.1.102"
web_ports = "{ http https }"
block log all
set block-policy drop
set skip on lo
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from (vether1:network) to any nat-to (egress:0)
pass out quick inet
pass in on $int_if inet
pass on $beeline_tv allow-opts
pass in on egress inet proto tcp from !<bad_ips> \
to (egress) port 22 keep state \
(max-src-conn 2, max-src-conn-rate 2/300, \
overload <bad_ips> flush global)
pass in on egress inet proto udp from !<bad_ips> \
to (egress) port 5060 keep state \
(max-src-states 1) rdr-to $asterisk_server
pass in on $int_if inet proto udp from (vether1:network) \
to (egress) port 5060 \
rdr-to $asterisk_server
pass in on egress inet proto udp from !<bad_ips> \
to (egress) port 10000:20000 keep state \
(max-src-states 1) rdr-to $asterisk_server
pass in on $int_if inet proto udp from (vether1:network) \
to (egress) port 10000:20000 \
rdr-to $asterisk_server
pass in on egress inet proto { tcp udp } from !<bad_ips> \
to (egress) port { 50000 } rdr-to 192.168.1.65
pass in log on egress inet proto tcp from !<bad_ips> \
to (egress) port $web_ports \
rdr-to $web_server
"""
________________________________________________________________________
I added some log options to try to understand which rule can be blocking
access to https port from the outside but the log shows the following:
________________________________________________________________________
"""
router root ~ # tcpdump -n -e -ttt -i pflog0 port 80 or port 443
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Nov 29 08:28:44.602109 rule 23/(match) pass in on vether0:
5.101.123.139.40470 > 89.179.243.222.80: S 2282440086:2282440086(0) win
29200 <mss 1460,sackOK,timestamp 150399049 0,nop,wscale 7> (DF) [tos 0x28]
"""
________________________________________________________________________
Access to port http is logged successfully but access to port https is
nowhere
There are other rdr-to rules in my ruleset and all of them work as
expected e.g.:
port 5060 udp and port range 10000:20000 udp are redirected to
VirtualBox VM (Asterisk) as expected.
--
Best regards
Maksim Rodin
