I have to links to the internet. I am testing it from other link and It4s not working. As I told before, I had this rules working on oldest version of openBSD ( not in the same hardware ). Now my boss told me to replace openBSD cause I cant do a single rdr that worked in the past.
That sucks. -----Mensagem original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de John Jackson Enviada em: terga-feira, 23 de setembro de 2008 17:46 Para: misc@openbsd.org Assunto: Re: PF cannot RDR connections If that's the case the original poster should take a look: http://openbsd.org/faq/pf/rdr.html#reflect I've had to solve similar problems by NAT'ing the internal network(s) to the firewalls internal interface IP so that traffic hitting the internal server appears to come from the firewall itself. On Tue, Sep 23, 2008 at 03:50:48PM -0400, Wade, Daniel wrote: > Your problem, as I stated off list, is that you are rdr to and from hosts on > the same subnet. > These are all 10.10/16 addresses. > 10.10.100.254 is an address on the firewall > > > Here's what's happening. > > 10.10.0.135.4552 -> 10.10.100.254.81 > Which get's switched to > 10.10.0.135.4552 -> 10.10.0.2.81 > > Then 0.2 replies directly back to 0.135 because it's local, skipping your > firewall > > 10.10.0.2.81 -> 10.10.0.135.4552 > This is by passing your firewall and messing you up. > > 0.135 knows nothing about this 0.2 guy. It didn't connect to him. > It's looking for a reply from 100.254 > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Ricardo Augusto de Souza > > Sent: Tuesday, September 23, 2008 3:40 PM > > To: misc@openbsd.org > > Subject: RES: PF cannot RDR connections > > > > No one can help me on this? > > I have just one hour to finish this 'job'. > > > > -----Mensagem original----- > > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome > > de Ricardo > > Augusto de Souza > > Enviada em: terga-feira, 23 de setembro de 2008 16:21 > > Para: misc@openbsd.org > > Assunto: RES: PF cannot RDR connections > > > > I am lost. > > Nat is working but I cant do any single rdr. > > Any clue? > > > > > > -----Mensagem original----- > > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome > > de > > Ricardo > > Augusto de Souza > > Enviada em: terga-feira, 23 de setembro de 2008 13:31 > > Para: misc@openbsd.org > > Assunto: RES: PF cannot RDR connections > > > > I was monitoring tcpdump -i xl0, disabled pf and I try to access > > http://10.10.100.254:81 and I saw this: > > > > 13:30:38.976708 10.10.100.254.81 > 10.10.0.135.2321: R 0:0(0) ack 1 > > win > > 0 > > (DF) > > 13:30:40.007811 802.1d RSTP config > > flags=7c<LEARNING,FORWARDING,AGREED> > > role=DESIGNATED root=8000.0:f:cb:56:80:a0 rootcost=20004 > > bridge=8000.0:1e:c1:27:b0:80 port=9 ifcost=128 age=2/0 max=20/0 > > hello=2/0 > > fwdelay=15/0 > > > > 13:32:20.254337 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack > > 2046899144 > > win 0 (DF) > > 13:32:20.699272 10.10.0.135.2331 > 10.10.100.254.81: S > > 2046899143:2046899143(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) > > 13:32:20.699297 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 > > win > > 0 > > (DF) > > 13:32:21.181005 10.10.100.254 > 10.10.0.135: icmp: echo reply > > 13:32:21.202344 10.10.0.135.2331 > 10.10.100.254.81: S > > 2046899143:2046899143(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) > > 13:32:21.202368 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 > > win > > 0 > > (DF) > > > > Now I turn pf on and I got this: > > # tcpdump -i xl0|grep 81 > > tcpdump: listening on xl0, link-type EN10MB > > 13:34:44.554439 10.10.0.135.2378 > 10.10.100.254.81: S > > 3759662737:3759662737(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) > > 13:34:47.497787 10.10.0.135.2378 > 10.10.100.254.81: S > > 3759662737:3759662737(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) > > 13:34:49.816656 10.10.0.48.netbios-ns > 10.10.255.255.netbios-ns: > > udp 50 > > 13:34:52.226812 10.10.100.254 > 10.10.0.135: icmp: echo reply > > 13:34:53.434122 10.10.0.135.2378 > 10.10.100.254.81: S > > 3759662737:3759662737(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) > > > > Help me please folks, I need this rdr working TODAY. > > > > Thanks in advance! > > > > -----Mensagem original----- > > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome > > de > > Ricardo > > Augusto de Souza > > Enviada em: terga-feira, 23 de setembro de 2008 11:30 > > Para: misc@openbsd.org > > Assunto: PF cannot RDR connections > > > > I was used to do this easily but it4s failing now. > > > > > > > > Xl0 = 10.10.100.254 > > > > Xl1=internet > > > > > > > > This is my /etc/pf.conf > > > > > > > > # interface externa WAN > > > > ext_if="xl1" > > > > # interface interna LAN > > > > int_if="xl0" > > > > #set skip on lo > > > > #scrub in > > > > rdr on xl1 proto tcp from any to xl1 port 8101 -> 10.10.100.21 port > > 8101 > > > > rdr on xl0 proto tcp from any to 10.10.100.254 port 81 -> 10.10.0.2 > > port > > 80 > > > > # > > > > # NAT > > > > # > > > > #nat on $ext_if from !($ext_if) -> ($ext_if:0) > > > > nat on $ext_if from 10.10.0.0/16 -> $ext_if > > > > pass in all > > > > pass out all > > > > #pass quick on $int_if no state > > > > #antispoof quick for { lo $int_if } > > > > > > > > > > > > Note: > > > > > > > > I can access http://10.10.0.2 > > > > It fails when I try to access http://10.10.100.254:81 > > > > What4s wrong folks? > > > > > > > > > > > > # pfctl -sn > > > > nat on xl1 inet from 10.10.0.0/16 to any -> 200.162.41.34 > > > > rdr on xl1 inet proto tcp from any to 200.162.41.34 port = 8101 -> > > 10.10.100.21 port 8101 > > > > rdr on xl0 inet proto tcp from any to 10.10.100.254 port = 81 -> > > 10.10.0.2 > > port 80 > > > > # > > > > > > > > > > > > # dmesg > > > > OpenBSD 4.3 (CMT) #1: Mon Sep 22 15:25:18 BRT 2008 > > > > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/CMT > > > > cpu0: Intel(R) Pentium(R) 4 CPU 2.13GHz ("GenuineIntel" 686-class) > > 2.13 > > GHz > > > > cpu0: > > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,P > > SE36, > > CF > > LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- > > CPL,CNXT-ID,C > > X16,x > > TPR > > > > real mem = 1072697344 (1023MB) > > > > avail mem = 1033314304 (985MB) > > > > mainbus0 at root > > > > bios0 at mainbus0: AT/286+ BIOS, date 06/16/05, BIOS32 rev. 0 @ > > 0xfd5b6, > > SMBIOS rev. 2.33 @ > > 0x3ff77000 > > (46 entries) > > > > bios0: vendor IBM version "-[KEE134AUS-1.34]-" date 06/16/2005 > > > > bios0: IBM CORPORATION -[84824RU]- > > > > bios0: ROM list: 0xc0000/0x9000 0xc9000/0x1000 0xca000/0x1000 > > 0xcb000/0x9c00 > > 0xd 5000/0x2000 > > 0xd7000/0x2000 > > 0xd9000/0x800 0xd9800/0x800 > > > > cpu0 at mainbus0 > > > > pci0 at mainbus0 bus 0: configuration mode 1 (no bios) > > > > pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02 > > > > ppb0 at pci0 dev 3 function 0 "Intel 82875P CSA" rev 0x02 > > > > pci1 at ppb0 bus 2 > > > > em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: > > irq > > 5, > > addre ss > > 00:11:25:7f:86:28 > > > > ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02 > > > > pci2 at ppb1 bus 3 > > > > bge0 at pci2 dev 1 function 0 "Broadcom BCM5703 Alt" rev 0x10, > > BCM5703 > > B0 > > (0x110 0): irq 11, > > address > > 00:10:18:16:14:1b > > > > brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3 > > > > bge1 at pci2 dev 2 function 0 "Broadcom BCM5703 Alt" rev 0x10, > > BCM5703 > > B0 > > (0x110 0): irq 11, > > address > > 00:10:18:16:0e:8a > > > > brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3 > > > > ahd0 at pci2 dev 4 function 0 vendor "Adaptec", unknown product > > 0x808f > > rev > > 0x10: irq 11 > > > > ahd0: aic7901, U320 Wide Channel A, SCSI Id=7, PCI-X 50-66MHz, 512 > > SCBs > > > > scsibus0 at ahd0: 16 targets > > > > sd0 at scsibus0 targ 0 lun 0: <IBM-ESXS, VPR036W3-ETS10FN, S370> > > SCSI2 > > 0/direct fixed > > > > sd0: 34715MB, 34401 cyl, 3 head, 688 sec, 512 bytes/sec, 71096640 > > sec > > total > > > > sd1 at scsibus0 targ 6 lun 0: <IBM-ESXS, VPR036W3-ETS10FN, S370> > > SCSI2 > > 0/direct fixed > > > > sd1: 34715MB, 34401 cyl, 3 head, 688 sec, 512 bytes/sec, 71096640 > > sec > > total > > > > uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq > > 11 > > > > uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: irq 5 > > > > "Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not > > configured > > > > "Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not > > configured > > > > ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq > > 11 > > > > usb0 at ehci0: USB revision 2.0 > > > > uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 > > > > ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x0a > > > > pci3 at ppb2 bus 4 > > > > vga0 at pci3 dev 2 function 0 "ATI Radeon VE QY" rev 0x00 > > > > wsdisplay0 at vga0 mux 1: console (80x25, vt100 emulation) > > > > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > > > > xl0 at pci3 dev 7 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq > > 5, > > address > > 0 0:0a:5e:63:7e:2e > > > > exphy0 at xl0 phy 24: 3Com internal media interface > > > > xl1 at pci3 dev 8 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq > > 11, > > address > > 00:0a:5e:63:7d:72 > > > > exphy1 at xl1 phy 24: 3Com internal media interface > > > > ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02: > > 24-bit > > timer > > at 3579545Hz > > > > pciide0 at pci0 dev 31 function 1 "Intel 6300ESB IDE" rev 0x02: > > DMA, > > channel > > 0 > > c onfigured to > > compatibility, > > channel 1 configured to compatibility > > > > atapiscsi0 at pciide0 channel 0 drive 0 > > > > scsibus1 at atapiscsi0: 2 targets > > > > cd0 at scsibus1 targ 0 lun 0: <HL-DT-ST, DVD-RAM GSA-H58N, 1.01> > > SCSI0 > > 5/cdrom > > r emovable > > > > cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 > > > > pciide0: channel 1 disabled (no drives) > > > > pciide1 at pci0 dev 31 function 2 "Intel 6300ESB SATA" rev 0x02: > > DMA, > > channel > > 0 configured to > > native-PCI, > > channel 1 configured to native-PCI > > > > pciide1: using irq 5 for native-PCI interrupt > > > > ichiic0 at pci0 dev 31 function 3 "Intel 6300ESB SMBus" rev 0x02: > > irq 5 > > > > iic0 at ichiic0 > > > > admtm0 at iic0 addr 0x2d: 47m192 > > > > adt0 at iic0 addr 0x2e: adm1027 rev 0x6a > > > > spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM ECC PC3200CL3.0 > > > > spdmem1 at iic0 addr 0x51: 512MB DDR SDRAM ECC PC3200CL3.0 > > > > usb1 at uhci0: USB revision 1.0 > > > > uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1 > > > > usb2 at uhci1: USB revision 1.0 > > > > uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1 > > > > isa0 at ichpcib0 > > > > isadma0 at isa0 > > > > pckbc0 at isa0 port 0x60/5 > > > > pckbd0 at pckbc0 (kbd slot) > > > > pckbc0: using irq 1 for kbd slot > > > > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > > > > pcppi0 at isa0 port 0x61 > > > > spkr0 at pcppi0 > > > > midi0 at pcppi0: <PC speaker> > > > > lpt0 at isa0 port 0x378/4 irq 7 > > > > npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 > > > > pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > > > > pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo > > > > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 > > > > fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec > > > > biomask ff65 netmask ff65 ttymask ffe7 > > > > mtrr: Pentium Pro MTRR support > > > > softraid0 at root > > > > ahd0: target 0 synchronous with period = 0x8, offset = > > 0x7f(RDSTRM|DT|IU|RTI|QAS > > ) > > > > ahd0: target 6 synchronous with period = 0x8, offset = > > 0x7f(RDSTRM|DT|IU|RTI|QAS > > ) > > > > root on sd0a swap on sd0b dump on sd0b > > > > #
