Re: Replace PF rule + inetd Proxy with 2 PF rules
Nick, Indeed Working. Thanks. >> >> May be a dumb question, but do you have net.inet.ip.forwarding=1 set? >> > > Neither can I believe had forgotten it, but I think you nailed it. > Will test monday and let know. > > Thanks in advance. > > -fm > >> >> tcpdump of a successful test connection: >> c.c.c.c = remote test client on internet
Re: Replace PF rule + inetd Proxy with 2 PF rules
> > May be a dumb question, but do you have net.inet.ip.forwarding=1 set? > Neither can I believe had forgotten it, but I think you nailed it. Will test monday and let know. Thanks in advance. -fm > > tcpdump of a successful test connection: > c.c.c.c = remote test client on internet > r.r.r.r = firewall external IP > > pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194 > tcpdump: listening on vmx1, link-type EN10MB > 14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0) > win 64240 [tos 0x20] > 14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S > 3178148684:3178148684(0) win 64240 8,nop,nop,sackOK> [tos 0x20] > 14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S > 3355699325:3355699325(0) ack 3178148685 win 16384 1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20] > 14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0) > ack 3178148685 win 16384 [tos 0x20] > 14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20] > 14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win > 1026 [tos 0x20] > 14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos > 0x20] > 14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win > 1026 [tos 0x20] > 14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436 > win 273 (DF) [tos 0x20] > 14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack > 436 win 273 (DF) [tos 0x20] > 14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win > 273 [tos 0x20] > 14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436 > win 273 [tos 0x20] > > >
Re: Replace PF rule + inetd Proxy with 2 PF rules
On 2/14/2020 11:21 AM, Fabio Martins wrote:
I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.
Unfortunately still no success.
# pf.conf:
ext_if="xnf0"
match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
rdr-to 129.128.5.194 port 80
match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \
$ext_if nat-to $ext_if
match out log quick on $ext_if inet all tagged RDR \
nat-to $ext_if
server_open="{ 80,110,443,25,587,465 }"
pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if
port $server_open tag n_traffic
#block all to start
block all
pass quick tagged RDR
pass quick tagged n_traffic
pass out on $ext_if
On 2/14/2020 6:30 AM, Fabio Martins wrote:
Hi Nick,
Thanks. I applied both rules below, unfortunately I am still only
hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.
#1
match in on $ext_if proto tcp from to ($ext_if) port 25 \
rdr-to 200.200.200.200 port
#2
match out on $ext_if proto tcp to 200.200.200.200 port received-on
\
$ext_if nat-to ($ext_if)
--
Fabio Martins
Odd, are you allowing the traffic with an appropriate pass rule later?
I use tagging for rules related to rdr and nat to keep things simple,
here is the full working setup I used to bounce port 8099 on the
external interface to www.openbsd.org port 80.
#Fun reverse redirection of www.openbsd.org
match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR
rdr-to 129.128.5.194 port 80
match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on
$ext_if nat-to $ext_if
#block all to start
block log all
pass quick tagged RDR
pass out on $ext_if
Make sure you are testing from an external host of course.
May be a dumb question, but do you have net.inet.ip.forwarding=1 set?
tcpdump of a successful test connection:
c.c.c.c = remote test client on internet
r.r.r.r = firewall external IP
pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194
tcpdump: listening on vmx1, link-type EN10MB
14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0)
win 64240 [tos 0x20]
14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S
3178148684:3178148684(0) win 64240 8,nop,nop,sackOK> [tos 0x20]
14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S
3355699325:3355699325(0) ack 3178148685 win 16384 1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20]
14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0)
ack 3178148685 win 16384 [tos 0x20]
14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20]
14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win
1026 [tos 0x20]
14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos
0x20]
14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win
1026 [tos 0x20]
14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436
win 273 (DF) [tos 0x20]
14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack
436 win 273 (DF) [tos 0x20]
14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win
273 [tos 0x20]
14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436
win 273 [tos 0x20]
Re: Replace PF rule + inetd Proxy with 2 PF rules
I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.
Unfortunately still no success.
# pf.conf:
ext_if="xnf0"
match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
rdr-to 129.128.5.194 port 80
match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \
$ext_if nat-to $ext_if
match out log quick on $ext_if inet all tagged RDR \
nat-to $ext_if
server_open="{ 80,110,443,25,587,465 }"
pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if
port $server_open tag n_traffic
#block all to start
block all
pass quick tagged RDR
pass quick tagged n_traffic
pass out on $ext_if
>
>
> On 2/14/2020 6:30 AM, Fabio Martins wrote:
>> Hi Nick,
>>
>> Thanks. I applied both rules below, unfortunately I am still only
>> hitting
>> rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
>> test). I tried inverting the order, too, but no luck.
>>
>> #1
>> match in on $ext_if proto tcp from to ($ext_if) port 25 \
>> rdr-to 200.200.200.200 port
>>
>> #2
>> match out on $ext_if proto tcp to 200.200.200.200 port received-on
>> \
>> $ext_if nat-to ($ext_if)
>>
>> --
>> Fabio Martins
>>
>
> Odd, are you allowing the traffic with an appropriate pass rule later?
>
> I use tagging for rules related to rdr and nat to keep things simple,
> here is the full working setup I used to bounce port 8099 on the
> external interface to www.openbsd.org port 80.
>
> #Fun reverse redirection of www.openbsd.org
> match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR
> rdr-to 129.128.5.194 port 80
> match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on
> $ext_if nat-to $ext_if
>
> #block all to start
> block log all
> pass quick tagged RDR
> pass out on $ext_if
>
>
> Make sure you are testing from an external host of course.
>
>
>
>
>
Re: Replace PF rule + inetd Proxy with 2 PF rules
Hi Fabio (xarĂ¡), Apparently I achieved this with these rules: -- pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8 port = flags S/SA label "TESTE LISTA" pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port = 25 flags S/SA label "TESTE LISTA" tag TESTE rdr-to 8.8.8.8 port match out log quick on hvn0 inet all label "TESTE LISTA" tagged TESTE nat-to 10.101.0.17 -- Of course there's room for improvement, be it simplify the rules or make it more specific. Maybe I needed three rules because I use "block log" as a default rule so: "block in" and "block out" by default. Here is the tcpdump output: -- rule 0/(match) match in on hvn0: 10.101.0.24.47964 > 10.101.0.17.25: S 3824310731:3824310731(0) win 42340 (DF) rule 53/(match) match out on hvn0: 10.101.0.17.60331 > 8.8.8.8.: S 3824310731:3824310731(0) win 42340 rule 16/(match) pass out on hvn0: 10.101.0.17.60331 > 8.8.8.8.: S 3824310731:3824310731(0) win 42340 -- Regards, Fabio Almeida On Fri, Feb 14, 2020 at 8:33 AM Fabio Martins < fm+obsd+misc+l...@phosphorusnetworks.com> wrote: > > Hi Nick, > > Thanks. I applied both rules below, unfortunately I am still only hitting > rule number #1 (rdr-to). nat-to is never reached (added "log" on each to > test). I tried inverting the order, too, but no luck. > > #1 > match in on $ext_if proto tcp from to ($ext_if) port 25 \ > rdr-to 200.200.200.200 port > > #2 > match out on $ext_if proto tcp to 200.200.200.200 port received-on \ > $ext_if nat-to ($ext_if) > > -- > Fabio Martins > > > Hi Fabio, > > > > I believe this will do what you want, seemed to work in quick testing > > here, adjust to suit your environment. > > > > > > match in on $ext_if proto tcp from to ($ext_if) port 25 > > rdr-to 200.200.200.200 port > > match out on $ext_if proto tcp to 200.200.200.200 port received-on > > $ext_if nat-to ($ext_if) > > > > >
Re: Replace PF rule + inetd Proxy with 2 PF rules
On 2/14/2020 6:30 AM, Fabio Martins wrote: Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200 port #2 match out on $ext_if proto tcp to 200.200.200.200 port received-on \ $ext_if nat-to ($ext_if) -- Fabio Martins Odd, are you allowing the traffic with an appropriate pass rule later? I use tagging for rules related to rdr and nat to keep things simple, here is the full working setup I used to bounce port 8099 on the external interface to www.openbsd.org port 80. #Fun reverse redirection of www.openbsd.org match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR rdr-to 129.128.5.194 port 80 match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on $ext_if nat-to $ext_if #block all to start block log all pass quick tagged RDR pass out on $ext_if Make sure you are testing from an external host of course.
Re: Replace PF rule + inetd Proxy with 2 PF rules
Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200 port #2 match out on $ext_if proto tcp to 200.200.200.200 port received-on \ $ext_if nat-to ($ext_if) -- Fabio Martins > Hi Fabio, > > I believe this will do what you want, seemed to work in quick testing > here, adjust to suit your environment. > > > match in on $ext_if proto tcp from to ($ext_if) port 25 > rdr-to 200.200.200.200 port > match out on $ext_if proto tcp to 200.200.200.200 port received-on > $ext_if nat-to ($ext_if) >
Re: Replace PF rule + inetd Proxy with 2 PF rules
Hi Fabio, I believe this will do what you want, seemed to work in quick testing here, adjust to suit your environment. match in on $ext_if proto tcp from to ($ext_if) port 25 rdr-to 200.200.200.200 port match out on $ext_if proto tcp to 200.200.200.200 port received-on $ext_if nat-to ($ext_if) On 2/13/2020 11:56 AM, Fabio Martins wrote: Hi, I am trying to redirect + NAT incoming packets without the need of a TCP Proxy. Currently I have the following setup to redirect hosts abusing SMTP to an email trap: inetd listening in 127.0.0.1:8000 and redirecting to an external host # inetd.conf 127.0.0.1:8000 stream tcp nowait _inetd_proxy /usr/bin/nc nc -w 20 200.200.200.200 and + pf rule redirecting the hosts: # pf.conf table persist file "/etc/pf/tables/spammers.txt pass in log on egress proto tcp from to any port 25 \ rdr-to 127.0.0.1 port 8000 I am trying to remove the inetd from the setup. With Linux iptables I would do a DNAT + MASQUERADE, but with PF I already tried: # pf.conf #1 pass in log on xnf0 proto tcp from to any port nat-to xnf0 #2 pass in log on egress proto tcp from to any port 25 \ rdr-to 200.200.200.200 port Rule #2 is correctly applied and changes the destination address to 200.200.200.200, but rule #1 (NAT) isnt applied. I believe it is possible to NAT an external connection without using a TCP Proxy. Tried also the example from here: https://www.openbsd.org/faq/pf/rdr.html pass in on $int_if proto tcp from $int_net to egress port 80 rdr-to $server pass out on $int_if proto tcp to $server port 80 received-on $int_if nat-to $int_if Without success. Thanks!
