Hello everybody, I have the following problems (it's about 5 days I'm working on it) and I'm not able to solve. I have a web server on a Win2k + IIS on my internal network that is working fine, and I want it to be accessible from the internet through my OpenBSD box (which has a public IP.)
The problem is that I'm not able to access it. Accessing from the openbsd box to the internal server is ok (lynx http://my.internal.web.srv ) but when I try connecting from the outside world, it results in a 'Page cannot be displayed' from IE). Does anybody know why? Or can point me to the right direction? Thank you, Gabriele Here is my pf.conf: int_if = "fxp0" ext_if = "fxp1" ext_addr = "nnn.nnn.nnn.nnn" int_addr = "my.internal.net" icmp_types = "echoreq" tcp_services = "{ 23 }" # "{ 23, 80 }" RDR = "rdr pass on" $ext_if "proto tcp from any to" $ext_addr "port" RDR_UDP = "rdr pass on" $ext_if "proto udp from any to" $ext_addr "port" # SSH openssh_port = "22" openssh_int_addr = "my.internal.srv" # Terminal Server ts_port = "3389" ts_int_addr = "my.terminal.srv" # WEB web_port = "80" web_ssl_port = "443" web_int_addr = "my.web.srv" # VPN # --> PPTP gre = "47" # GRE = IP protocol 47 pptp_port = "1723" # --> L2TP/IPSec with NAT-T esp = "50" # IPSEC-ESP = IP protocol 50 ah = "51" # IPSEC-AH = IP protocol 51 l2tp_port = "1701" isakmp_port = "500" natt_port = "4500" # --> VPN Server vpn_int_addr = "my.vpn.srv" priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }" # Set default response for block filter rules set block-policy return # Turn on log on the external interface set loginterface $ext_if # Scrub all incoming traffic scrub in all # NAT all internal network nat on $ext_if from $int_if:network to any -> $ext_if # Use ftp-proxy for internal FTP clients to connect to Internet FTP servers rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # Redirect OpenSSH traffic to internal server $RDR $openssh_port -> $openssh_int_addr port $openssh_port # Redirect Terminal Server traffic to internal server $RDR $ts_port -> $ts_int_addr port $ts_port # Redirect Web traffic $RDR $web_port -> $web_int_addr port $web_port $RDR $web_ssl_port -> $web_int_addr port $web_ssl_port # Redirect PPTP traffic to internal server $RDR $pptp_port -> $vpn_int_addr port $pptp_port rdr pass on $ext_if proto $gre from any to $ext_addr -> $vpn_int_addr # Redirect L2TP traffic to internal server #$RDR_UDP $l2tp_port -> $vpn_int_addr port $l2tp_port $RDR_UDP $isakmp_port -> $vpn_int_addr port $isakmp_port $RDR_UDP $natt_port -> $vpn_int_addr port $natt_port #rdr pass on $ext_if proto $esp from any to $ext_addr -> $vpn_int_addr #rdr pass on $ext_if proto $ah from any to $ext_addr -> $vpn_int_addr # ==> DEFAULT DENY block all # pass all traffic on the loopback interface pass quick on lo0 all # block all traffic coming from/to private networks on the external interface block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets # open port for incoming allowed TCP traffic on the external interface pass in on $ext_if inet proto tcp from any to \ $ext_if port $tcp_services flags S/SA keep state # open allowed ICMP traffic pass in inet proto icmp all icmp-type $icmp_types keep state # permit all traffic trhough the internal interface pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state # permit all outgoing traffic to the Internet pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state # permit incoming connections to ftp-proxy pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
