Hi Shane, Heya and others. I tried a new setup, using tables (look more
eficient than using a thousan rules to each variable). But is still
failing :(
# tables
table <msn-rdr> persist const file "/etc/pf.conf.d/msn-rdr"
table <msn-allow> persist const file "/etc/pf.conf.d/msn-allow"
# msn proxy
rdr on { $lan1_iface, $lan2_iface } proto tcp from <msn-rdr> to any
port 1863 -> $proxy
rdr on { $lan1_iface, $lan2_iface } proto tcp from <msn-rdr> to any
port 25000:30000 -> $proxy
# msn filter
pass out quick on { $lan1_iface, $lan2_iface } inet proto tcp from
<msn-rdr> to $proxy port 1863
block out quick on ! $inet_iface inet proto tcp from ! <msn-allow>
to any port 1863
In the msn-rdr table are IP of the hosts that should be redirected to
the proxy, and in the msn-allow are the IP of the hosts that should be
allowed to connect directly with the MSN over the internet (including
the host $proxy). The $proxy host is in a fourth interface named $dmz_iface.
If i remove the "quick" statement of the block rule, anyone in any
interface can connect, and with the 'quick' statement, no one can =S.
Also, back in february, when i just redirected everyone to the proxy,
the rdr rules used to work, but with this more selective rule, it's not
working at all.
Tks in advance.
Leonardo Carneiro - Veltrac wrote:
> Shane Lazarus wrote:
>> Heya
>>
>> On Tue, Apr 20, 2010 at 5:43 AM, Leonardo Carneiro - Veltrac
>> <lscarne...@veltrac.com.br <mailto:lscarne...@veltrac.com.br>> wrote:
>>
>> My OpenBSD firewall has 4 interfaces: 2 lan, 1 wan and 1 dmz.
>> What i'm trying to do is:
>>
>>
>>
>>
>> 1. Allow some hosts to use MSN;
>> 2. Redirect the MSN connections of some hosts from the LAN
>> interfaces to a MSN proxy in the DMZ interface;
>> 3. Block the rest.
>>
>> This is how i'm trying to achieve:
>>
>> # msn proxy redirect
>> rdr on $lan1_iface proto tcp from $msn-redirect to any port
>> 1863 ->
>> $proxy
>> rdr on $lan1_iface proto tcp from $msn-redirect to any port
>> 25000:30000 -> $proxy
>> # msn filter
>> pass out quick on $inet_iface inet proto tcp from
>> $msn-redirect to
>> $proxy port 1863 keep state
>> pass out quick on $inet_iface inet proto tcp from
>> $msn-allowed1 to
>> any port 1863 keep state
>> pass out quick on $inet_iface inet proto tcp from
>> $msn-allowed2 to
>> any port 1863 keep state
>> pass out quick on $inet_iface inet proto tcp from $proxy to any
>> port
>> 1863 keep state
>> block out on $inet_iface inet proto tcp from any to any port 1863
>>
>>
>> Is the reference to passing out the redirected traffic to the $proxy
>> via the $inet_interface instead of the $dmz_interface correct, a typo
>> or the issue?
>>
>> Shane
>>
>>
> Hi Shane. No, it's not a typo. It's a last second modification that i
> tried before send the email. Was 'any' before i replace with '$proxy'.
> However, like you well observed, it's wrong :(
>
> I'll try other rules today and i'll post then here. Tks for you concern.
