Help! I'm obviously overlooking something really obvious but I just
can't see it.
I'm building my first PF-based router/firewall using OpenBSD 4.6. For
now, what I
need it to do is pretty simple:
1. Allow all outbound traffic via NAT and allow all inbound responses.
2. Allow only ssh and auth to the external interface.
3. Redirect to ports (2000 & 4200) to two different hosts on the
internal net.
I've created a minimal pf.conf file that I thought would accomplish
this. Goals
1 & 2 are working fine (I can connect outbound from hosts on the
internal net
and I can connect to the firewall inbound via ssh) but the redirections
are not
going anywhere.
I don't know what to do next other than enable logging, fire up tcpdump
and try
to see what is actually happening. But I thought I'd ask first if
anybody more
familiar with pf can see something fundamentally flawed with my config.
Here is the pf.conf (slightly edited to obscure the actual IPs)
# pf.conf: agilulf.det2.gw00
#################################################################################
# MACROS
#--------------------------------------------------------------------------------
# interfaces
ifExt = "fxp0" # 66.b.c.118
ifInt = "fxp1" # 192.x.y.2
################################################################################
# OPTIONS
#--------------------------------------------------------------------------------
set block-policy return
set loginterface $ifExt
set skip on lo
################################################################################
# NAT & Redirection
#--------------------------------------------------------------------------------
nat on $ifExt from !$ifExt -> $ifExt:0
rdr pass on $ifExt proto tcp from any to any port 4200 -> 192.x.y.40
port 4200
rdr pass on $ifExt proto tcp from any to any port 2000 -> 192.x.y.21
port 2000
#################################################################################
# FILTER RULES
#--------------------------------------------------------------------------------
block in
pass out keep state
# internal clients
pass in quick on $ifInt
# external
pass in inet proto icmp all icmp-type echoreq
pass in on $ifExt inet proto tcp from any to $ifExt port { ssh, auth }
###EoF###
And here is the result of loading pf.conf
# pfctl -vf /etc/pf.conf
ifExt = "fxp0"
ifInt = "fxp1"
set block-policy return
set loginterface fxp0
set skip on { lo }
nat on fxp0 inet from ! 66.b.c.118 to any -> 66.b.c.118
rdr pass on fxp0 inet proto tcp from any to any port = 4200 ->
192.x.y.40 port 4200
rdr pass on fxp0 inet proto tcp from any to any port = 2000 ->
192.x.y.21 port 2000
block return in all
pass out all flags S/SA keep state
pass in quick on fxp1 all flags S/SA keep state
pass in on fxp0 inet proto tcp from any to 66.b.c.118 port = ssh
flags S/SA keep state
pass in on fxp0 inet proto tcp from any to 66.b.c.118 port = auth
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
#
From the firewall box, I can ping and traceroute successfully to the
two destination
hosts for the redirections and I can connect to the destination ports of
the redirections.
I just can't make the redirected connections via the external interface
of the firewall.
Any help would be greatly appreciated.