Re: Replace PF rule + inetd Proxy with 2 PF rules
Nick, Indeed Working. Thanks. >> >> May be a dumb question, but do you have net.inet.ip.forwarding=1 set? >> > > Neither can I believe had forgotten it, but I think you nailed it. > Will test monday and let know. > > Thanks in advance. > > -fm > >> >> tcpdump of a successful test connection: >> c.c.c.c = remote test client on internet
Re: Replace PF rule + inetd Proxy with 2 PF rules
> > May be a dumb question, but do you have net.inet.ip.forwarding=1 set? > Neither can I believe had forgotten it, but I think you nailed it. Will test monday and let know. Thanks in advance. -fm > > tcpdump of a successful test connection: > c.c.c.c = remote test client on internet > r.r.r.r = firewall external IP > > pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194 > tcpdump: listening on vmx1, link-type EN10MB > 14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0) > win 64240 [tos 0x20] > 14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S > 3178148684:3178148684(0) win 64240 8,nop,nop,sackOK> [tos 0x20] > 14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S > 3355699325:3355699325(0) ack 3178148685 win 16384 1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20] > 14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0) > ack 3178148685 win 16384 [tos 0x20] > 14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20] > 14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win > 1026 [tos 0x20] > 14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos > 0x20] > 14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win > 1026 [tos 0x20] > 14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436 > win 273 (DF) [tos 0x20] > 14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack > 436 win 273 (DF) [tos 0x20] > 14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win > 273 [tos 0x20] > 14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436 > win 273 [tos 0x20] > > >
Re: Replace PF rule + inetd Proxy with 2 PF rules
On 2/14/2020 11:21 AM, Fabio Martins wrote: I am trying now only with the redirect to www.openbsd.org, if it works, I am sure it can be adapted to my case. Unfortunately still no success. # pf.conf: ext_if="xnf0" match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \ rdr-to 129.128.5.194 port 80 match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \ $ext_if nat-to $ext_if match out log quick on $ext_if inet all tagged RDR \ nat-to $ext_if server_open="{ 80,110,443,25,587,465 }" pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if port $server_open tag n_traffic #block all to start block all pass quick tagged RDR pass quick tagged n_traffic pass out on $ext_if On 2/14/2020 6:30 AM, Fabio Martins wrote: Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200 port #2 match out on $ext_if proto tcp to 200.200.200.200 port received-on \ $ext_if nat-to ($ext_if) -- Fabio Martins Odd, are you allowing the traffic with an appropriate pass rule later? I use tagging for rules related to rdr and nat to keep things simple, here is the full working setup I used to bounce port 8099 on the external interface to www.openbsd.org port 80. #Fun reverse redirection of www.openbsd.org match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR rdr-to 129.128.5.194 port 80 match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on $ext_if nat-to $ext_if #block all to start block log all pass quick tagged RDR pass out on $ext_if Make sure you are testing from an external host of course. May be a dumb question, but do you have net.inet.ip.forwarding=1 set? tcpdump of a successful test connection: c.c.c.c = remote test client on internet r.r.r.r = firewall external IP pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194 tcpdump: listening on vmx1, link-type EN10MB 14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0) win 64240 [tos 0x20] 14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S 3178148684:3178148684(0) win 64240 8,nop,nop,sackOK> [tos 0x20] 14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S 3355699325:3355699325(0) ack 3178148685 win 16384 1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20] 14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0) ack 3178148685 win 16384 [tos 0x20] 14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20] 14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win 1026 [tos 0x20] 14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos 0x20] 14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win 1026 [tos 0x20] 14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436 win 273 (DF) [tos 0x20] 14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack 436 win 273 (DF) [tos 0x20] 14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win 273 [tos 0x20] 14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436 win 273 [tos 0x20]
Re: Replace PF rule + inetd Proxy with 2 PF rules
I am trying now only with the redirect to www.openbsd.org, if it works, I am sure it can be adapted to my case. Unfortunately still no success. # pf.conf: ext_if="xnf0" match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \ rdr-to 129.128.5.194 port 80 match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \ $ext_if nat-to $ext_if match out log quick on $ext_if inet all tagged RDR \ nat-to $ext_if server_open="{ 80,110,443,25,587,465 }" pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if port $server_open tag n_traffic #block all to start block all pass quick tagged RDR pass quick tagged n_traffic pass out on $ext_if > > > On 2/14/2020 6:30 AM, Fabio Martins wrote: >> Hi Nick, >> >> Thanks. I applied both rules below, unfortunately I am still only >> hitting >> rule number #1 (rdr-to). nat-to is never reached (added "log" on each to >> test). I tried inverting the order, too, but no luck. >> >> #1 >> match in on $ext_if proto tcp from to ($ext_if) port 25 \ >> rdr-to 200.200.200.200 port >> >> #2 >> match out on $ext_if proto tcp to 200.200.200.200 port received-on >> \ >> $ext_if nat-to ($ext_if) >> >> -- >> Fabio Martins >> > > Odd, are you allowing the traffic with an appropriate pass rule later? > > I use tagging for rules related to rdr and nat to keep things simple, > here is the full working setup I used to bounce port 8099 on the > external interface to www.openbsd.org port 80. > > #Fun reverse redirection of www.openbsd.org > match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR > rdr-to 129.128.5.194 port 80 > match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on > $ext_if nat-to $ext_if > > #block all to start > block log all > pass quick tagged RDR > pass out on $ext_if > > > Make sure you are testing from an external host of course. > > > > >
Re: Replace PF rule + inetd Proxy with 2 PF rules
Hi Fabio (xarĂ¡), Apparently I achieved this with these rules: -- pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8 port = flags S/SA label "TESTE LISTA" pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port = 25 flags S/SA label "TESTE LISTA" tag TESTE rdr-to 8.8.8.8 port match out log quick on hvn0 inet all label "TESTE LISTA" tagged TESTE nat-to 10.101.0.17 -- Of course there's room for improvement, be it simplify the rules or make it more specific. Maybe I needed three rules because I use "block log" as a default rule so: "block in" and "block out" by default. Here is the tcpdump output: -- rule 0/(match) match in on hvn0: 10.101.0.24.47964 > 10.101.0.17.25: S 3824310731:3824310731(0) win 42340 (DF) rule 53/(match) match out on hvn0: 10.101.0.17.60331 > 8.8.8.8.: S 3824310731:3824310731(0) win 42340 rule 16/(match) pass out on hvn0: 10.101.0.17.60331 > 8.8.8.8.: S 3824310731:3824310731(0) win 42340 -- Regards, Fabio Almeida On Fri, Feb 14, 2020 at 8:33 AM Fabio Martins < fm+obsd+misc+l...@phosphorusnetworks.com> wrote: > > Hi Nick, > > Thanks. I applied both rules below, unfortunately I am still only hitting > rule number #1 (rdr-to). nat-to is never reached (added "log" on each to > test). I tried inverting the order, too, but no luck. > > #1 > match in on $ext_if proto tcp from to ($ext_if) port 25 \ > rdr-to 200.200.200.200 port > > #2 > match out on $ext_if proto tcp to 200.200.200.200 port received-on \ > $ext_if nat-to ($ext_if) > > -- > Fabio Martins > > > Hi Fabio, > > > > I believe this will do what you want, seemed to work in quick testing > > here, adjust to suit your environment. > > > > > > match in on $ext_if proto tcp from to ($ext_if) port 25 > > rdr-to 200.200.200.200 port > > match out on $ext_if proto tcp to 200.200.200.200 port received-on > > $ext_if nat-to ($ext_if) > > > > >
Re: Replace PF rule + inetd Proxy with 2 PF rules
On 2/14/2020 6:30 AM, Fabio Martins wrote: Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200 port #2 match out on $ext_if proto tcp to 200.200.200.200 port received-on \ $ext_if nat-to ($ext_if) -- Fabio Martins Odd, are you allowing the traffic with an appropriate pass rule later? I use tagging for rules related to rdr and nat to keep things simple, here is the full working setup I used to bounce port 8099 on the external interface to www.openbsd.org port 80. #Fun reverse redirection of www.openbsd.org match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR rdr-to 129.128.5.194 port 80 match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on $ext_if nat-to $ext_if #block all to start block log all pass quick tagged RDR pass out on $ext_if Make sure you are testing from an external host of course.
Re: Replace PF rule + inetd Proxy with 2 PF rules
Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200 port #2 match out on $ext_if proto tcp to 200.200.200.200 port received-on \ $ext_if nat-to ($ext_if) -- Fabio Martins > Hi Fabio, > > I believe this will do what you want, seemed to work in quick testing > here, adjust to suit your environment. > > > match in on $ext_if proto tcp from to ($ext_if) port 25 > rdr-to 200.200.200.200 port > match out on $ext_if proto tcp to 200.200.200.200 port received-on > $ext_if nat-to ($ext_if) >
Re: Replace PF rule + inetd Proxy with 2 PF rules
Hi Fabio, I believe this will do what you want, seemed to work in quick testing here, adjust to suit your environment. match in on $ext_if proto tcp from to ($ext_if) port 25 rdr-to 200.200.200.200 port match out on $ext_if proto tcp to 200.200.200.200 port received-on $ext_if nat-to ($ext_if) On 2/13/2020 11:56 AM, Fabio Martins wrote: Hi, I am trying to redirect + NAT incoming packets without the need of a TCP Proxy. Currently I have the following setup to redirect hosts abusing SMTP to an email trap: inetd listening in 127.0.0.1:8000 and redirecting to an external host # inetd.conf 127.0.0.1:8000 stream tcp nowait _inetd_proxy /usr/bin/nc nc -w 20 200.200.200.200 and + pf rule redirecting the hosts: # pf.conf table persist file "/etc/pf/tables/spammers.txt pass in log on egress proto tcp from to any port 25 \ rdr-to 127.0.0.1 port 8000 I am trying to remove the inetd from the setup. With Linux iptables I would do a DNAT + MASQUERADE, but with PF I already tried: # pf.conf #1 pass in log on xnf0 proto tcp from to any port nat-to xnf0 #2 pass in log on egress proto tcp from to any port 25 \ rdr-to 200.200.200.200 port Rule #2 is correctly applied and changes the destination address to 200.200.200.200, but rule #1 (NAT) isnt applied. I believe it is possible to NAT an external connection without using a TCP Proxy. Tried also the example from here: https://www.openbsd.org/faq/pf/rdr.html pass in on $int_if proto tcp from $int_net to egress port 80 rdr-to $server pass out on $int_if proto tcp to $server port 80 received-on $int_if nat-to $int_if Without success. Thanks!