I have been racking my brain and reading, but can't figure out how to
setup pf to pass or rdr ident requests to the the proper client
(behind the firewall) that is trying to connect to an irc server. I
want to rdr the auth (port 113) request coming into my firewall to
whichever machine is trying to connect to an irc server. How can I do
this?
Currently I have a rdr rule that handles the ident requests by passing
them to my windows machine running mIRC. mIRC has built-in ident
emulator and works fine. I've tried to setup an ident server on my
firewall that will handle all ident requests. I enabled identd in
/etc/rc.conf and disabled the one running from /etc/inetd, but with no
joy.
What am I missing here? Does anyone have such a setup working?
rvb
=================================
/etc/pf.conf
=================================
#=================================
# Macros
#=================================
log_flg = "" # "log" for on and "" for off
ext_if = "fxp0"
dmz_if = "xl0"
int_if = "xl1"
dmz_ip = "192.168.2.199"
win_ip = "192.168.3.100"
#=================================
# Port Nbr Mapping
#=================================
ssh = "22"
ident = "113"
irc_dcc = "1024:1066"
web_svr = "80"
tomcat = "8080"
tcp_services = "{" $ssh "}"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}"
#=================================
# Options
#=================================
set block-policy drop
set loginterface $ext_if
#=================================
# Scrub Rules
#=================================
scrub in all
#=================================
# NAT and Forwarding Rules
#=================================
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $dmz_if:network to any -> ($ext_if)
prefix_ext = "rdr on" $ext_if "proto tcp from any to" $ext_if "port"
$prefix_ext $web_svr -> $dmz_ip
$prefix_ext $tomcat -> $dmz_ip
$prefix_ext $ident -> $win_ip
$prefix_ext $irc_dcc -> $win_ip
# lan traffic to web server
rdr on $int_if proto tcp from any to $ext_if port $web_svr -> $dmz_ip
# lan traffic to servlet engine
rdr on $int_if proto tcp from any to $ext_if port $tomcat -> $dmz_ip
#=================================
# Filter Rules
#=================================
block $log_flg all
pass $log_flg quick on lo0 all
antispoof $log_flg quick for $ext_if
antispoof $log_flg quick for $dmz_if
antispoof $log_flg quick for $int_if
block drop in $log_flg quick on $ext_if from $priv_nets to any
block drop out $log_flg quick on $ext_if from any to $priv_nets
# tcp_services
pass in $log_flg on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
# web server
pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $web_svr \
flags S/SA synproxy state
# servlet/jsp engine
pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $tomcat \
flags S/SA synproxy state
# ident requests
pass in $log_flg on $ext_if proto tcp from any to $win_ip port $ident
# dcc send
pass in $log_flg on $ext_if proto tcp from any to $win_ip port $irc_dcc
# ping requests
pass in $log_flg inet proto icmp all icmp-type $icmp_types keep state
# pass out all tcp, udp, and icmp packets
pass out $log_flg on $ext_if proto tcp all modulate state flags S/SA
pass out $log_flg on $ext_if proto { udp, icmp } all keep state
pass out $log_flg on $ext_if proto esp all keep state
# pass all traffic to the dmz
pass in $log_flg on $dmz_if from $dmz_if:network to any keep state
pass out $log_flg on $dmz_if from any to $dmz_if:network keep state
# pass all traffic to and from the local network
pass in $log_flg on $int_if from $int_if:network to any keep state
pass out $log_flg on $int_if from any to $int_if:network keep state
