[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

TCP Reflection (continued)

Hi all- 
I've just completed a new OBSD 3.1 build, and am trying to get some form
of tcp reflection working on this system.  I know that the best choice
would be to create a DMZ... this is not a study in best practices, this
is an effort to get this feature _working_.  I've attempted to get this
working via tcp proxy (nc) and via the convoluted redirect method.  Here
is my network description: 
Internet <----->  (dc0) Firewall (dc1)  <--------->  Server
                  10.0/8      192.168.0/16      | 
                                                |->  Client
First, I tried to use the following redirection rules as provided by the
OpenBSD FAQ and Daniel himself (thanks Daniel).  I can't even get to
testing them, pfctl complains of a syntax error on the last rule: 
rdr on $int_if proto tcp from $int_net to $ext_if port 80 -> $server 
no nat on $int_if proto tcp from $int_if to $int_net 
nat on $int_if proto tcp from $int_net to $server port 80 -> $int_if 
/etc/nat.conf:22: syntax error 
pfctl: syntax error in file: nat rules not loaded 
So, I'm trying to use the tcp proxy method via netcat, but that doesn't
work either.  I first attempted to use the default example as found in
(inetd.conf) stream tcp wait nobody /usr/bin/nc nc -w 20
rdr on $int_if proto tcp from $int_net to $ext_if port 80 ->
port 5000
The client appears to connect to the proxy just fine, based on the
output of "pfctl -ss", netstat, and tcpdump.  However, it appears that
the firewall is not translating the destination, as tcpdump on the
server shows a source address of  I've tried various
redirection/nat rules, and nothing seems to be working.  Best results
end in a flood of S/F packets being sent between the firewall and server
(after a lengthy delay of nothingness)... worst results show a S/SA
connection between the client and firewall, then nothing.
Any suggestions?