Hello!
I use adsl, and I have direct access to internet, and I go though pf (rdr)
to dmz windows server (protocol rdp)
Our internet provider change protocol to PPPoE, I make change in pf.cont,
But now rdr did -not work :-(
That's say tcpdump
tcpdump -i tun0 port rdp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
14:36:28.928329 IP xxx..xxx.xxx3472 > yyy.com.rdp: S
1202908173:1202908173(0) win 65535 <mss 1440,nop,wscale 0,nop,nop,sackOK>
14:36:31.883762 IP xxx..xxx.xxx.3472 > yyy.com.rdp: S
1202908173:1202908173(0) win 65535 <mss 1440,nop,wscale 0,nop,nop,sackOK>
14:36:37.819110 IP xxx..xxx.xxx.3472 > yyy.com.rdp: S
1202908173:1202908173(0) win 65535 <mss 1440,nop,wscale 0,nop,nop,sackOK>
Tcpdump on internal interface is empty
This is my pf.conf
int_if="fxp0"
ext_if="tun0"
internal_net="192.168.0.1/24"
external_addr="111.111.111.111"
rdp_server ="192.168.0.250"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
tcp_services="{domain,smtp,ssh}"
udp_services="{domain}"
icmp_types="echoreq"
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
scrub in on $ext_if all fragment reassemble min-ttl 20 max-mss 1440
scrub in on $ext_if all no-df
scrub on $ext_if all reassemble tcp
rdr on $ext_if proto tcp from any to any port rdp -> $rdp_server
nat on $ext_if from $internal_net to any -> ($ext_if)
#block all
pass all
pass quick on lo all
antispoof quick for $int_if inet
# PORT SCANNERS FOR OS DETECTING
block in quick proto tcp from any to $external_addr flags SF/SFRA
block in quick proto tcp from any to $external_addr flags SFUP/SFRAU
block in quick proto tcp from any to $external_addr flags FPU/SFRAUP
block in quick proto tcp from any to $external_addr flags F/SFRA
block in quick proto tcp from any to $external_addr flags U/SFRAU
block in quick proto tcp from any to $external_addr flags P/P
#3.1 don't allow anyone to spoof non-routeble adresses
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass out all
pass in on $int_if from $internal_net to any keep state
pass out on $int_if from any to $internal_net keep state
#Enable incoming keep state trafic
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA modulate state
pass in on $ext_if proto udp from any to ($ext_if) \
port $udp_services
pass in on $ext_if proto tcp from any to $rdp_server port rdp \
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
# Allow to outgoing traffic to inet
pass out on $ext_if proto tcp all flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state
This is mistake of pf firewall ?
