Zitat von Dan <[EMAIL PROTECTED]>:
Hi all, I am new to PF. Trying to set up a simple, typical ruleset as
described on openbsd.org and other places. NAT works, rdr to a machine
behind pf doesn't. The documentation says it should work. What gives?
ext_if="dc0"
int_if="fxp0"
set skip on lo
scrub in
rdr pass on $ext_if proto { tcp, udp } from any to any port 5000:5009 -> \
192.168.0.4 port 5000:5009
nat pass on $ext_if inet from $int_if:network to any -> ($ext_if)
Hi Dan,
if have been fighting with this problem too, i think it's not so
well dokumented for n00b's in the online-documentation - i suggest
good book would help you alot more ...
here is an excerpt from my pf-config - which is in fact about 734 lines long
if you include everything --- i'm using "rdr" for openvpn + ssh from
internet to two internal hosts, maybe this gives you a little help ...
regards
Marc
#
# Macro-Stuff
#
ext_if="pppoe0"
wlan_if="vr1"
vpn_if="tun1"
int_if="vr0"
table <all_networks> const { $vpn_net, $int_net, $adm_net, $diag_net,
$wlan_net, $sec_wlan_subnet1, $sec_wlan_subnet2, $unsec_wlan_subnet1,
$unsec_wlan_subnet2 }
# many more tables + parameters which are topsecret
....
# altq - defs which are not easy to understand ...
# Do NAT for both vpn- & wlan_net (wlan_net needs it for the captive-portal)
nat on $ext_if from <all_networks> to any -> ($ext_if)
# don't redirect admin-machines
no rdr on $wlan_if proto tcp from <trusted> to any \
port { 80, 443, 22 } # label "$if:trusted_no_rdr_selected_ports";
#
# allow pass-thru of ssh+openvpn to two test hosts
#
rdr pass on $ext_if proto tcp from any to <firewall> \
port 22006 -> 192.168.100.6 port 22
rdr pass on $ext_if proto tcp from any to <firewall> \
port 22004 -> 192.168.100.4 port 22
rdr pass on $ext_if proto tcp from any to <firewall> \
port 11934 -> 192.168.100.4 port 1193
rdr pass on $ext_if proto tcp from any to <firewall> \
port 11936 -> 192.168.100.6 port 1193
# This gatekeeper box may talk to itself, avoid all restrictions:
pass quick on { lo }
antispoof quick for { lo }
#
# disallow intruders explicitly (all if's and all protocolls)
#
block return-rst in quick inet proto tcp from <intruders> to any label
"$if:dropped_tcp_intruders"
block return-icmp in quick inet proto { udp, icmp } from <intruders>
to any label "$if:dropped_udp_intruders"
#
# block abusers
#
block in quick from <abusive_hosts>
#
# block ipv6 for security errata 020, may not need anymore if you have
# applied all patches
#
block in quick inet6 all
block out quick inet6 all
#
# don't allow spoofing for external interfaces, except vpn-if
#
antispoof log for $wlan_if
antispoof log for $ext_if
# vlan's are free
#
pass quick on { vlan2, vlan3, vlan4, vlan61 }
#
# other rules needed to make the box more secure ...
#
...
# whatever comes up to here should be removed too ...
block drop in log all label "$if:default_block_drop_input"
block drop out log all label "$if:default_block_drop_output"
Thanks!
