Hi,
In your rule you have :
rdr on $IntIF inet proto tcp from any to 80.17.9.12 port 5280 -> 192.168.11.3
port 5280
instead of $IntIF you should have $ExtIF no ?
because your rule says :
pass in quick on $ExtIF inet proto tcp from any to any port 5280 keep state
regards
Selon Samuel Penn <[EMAIL PROTECTED]>:
>
> Hi,
>
> I'm currently using OpenBSD 4.0 as a firewall, as well as using it
> to run some public facing services (http, xmpp etc). What I'd like
> to do is move some of these services onto other servers by redirecting
> ports in order to make upgrading easier.
>
> I've already done this with SMTP, using an rdr rules, which has been
> working for a number of years without any problems. SMTP mail is
> delivered to the public firewall, and immediately redirected onto my
> mail server for processing.
>
> However, I'm now trying to do the same with some other ports, without
> any luck. I'm starting by trying to allow access to the web page for
> an internal ejabberd installation (running on port 5280, on host
> 192.168.11.3), however adding in a similar rule for port 5280 fails
> to work for both external and internal connections, and though
> tcpdump shows the redirect happening, the browser receives no response,
> and the web server log shows that it hasn't received anything.
>
> When I connect from an internal machine (fenris), the tcpdump running
> on the firewall shows a redirect to the ejabberd server (cagliostro):
>
> 16:42:10.711474 fenris.60780 > cagliostro.5280: [|tcp] (DF)
>
> But nothing reaches cagliostro.
>
> My pf.conf is as follows. If anyone can tell me what I'm doing wrong,
> I'd greatly appreciate it, thanks.
>
>
> ExtIF="rl1" # External interface
> IntIF="rl0" # External interface
> IntNet="192.168.11.0/24" # Internal network
> NoRoute="{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }"
> Services="{ ssh, http, https, 5222, 5223, 5269, 5280, 6667 }"
>
> set skip on lo
>
> # Redirect SMTP traffic to mail server.
> rdr on $ExtIF inet proto tcp from any to 80.17.9.12 port 25 -> 192.168.11.3
> port 25
>
> # ejabberd redirects
> rdr on $ExtIF inet proto tcp from any to 80.17.9.12 port 5280 -> 192.168.11.3
> port 5280
> rdr on $IntIF inet proto tcp from any to 80.17.9.12 port 5280 -> 192.168.11.3
> port 5280
>
> # NAT rules
> nat on $ExtIF from 192.168.11.0/24 to any -> $ExtIF
>
> # Ban local address spoofing.
> block in log quick on $ExtIF from $NoRoute to any
> block out log quick on $ExtIF from any to $NoRoute
>
> # Allow local network to connect via ssh
> pass in quick on $ExtIF inet proto tcp from $IntNet to any port = 22
> pass in quick on $ExtIF inet proto tcp from any to any port 25 keep state
> pass in quick on $ExtIF inet proto tcp from any to any port 5280 keep state
>
> # Allow external networks to connect to services
> pass in log quick on $ExtIF inet proto tcp from any to any port $Services
> keep
> state
> pass in log quick on $IntIF inet proto tcp from any to any port $Services
> keep
> state
>
> # Finally, default deny
> block in log quick on $ExtIF from any to any
>
> # Allow outgoing out, and keep state
> pass out on $ExtIF from any to any keep state
>
> block in inet6
>
>
> --
> Be seeing you, http://www.glendale.org.uk
> Sam. xmpp:[EMAIL PROTECTED]
>
