[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf.conf frustration



So I've rem'd out all my block rules, and anything else that might be
causing trouble and messed around tons trying to get this to work without
any success. I have 2 http pass rules, and I have tried multiple other http
pass rules without success. My pflog shows nothing except the request coming
in. I can ssh in from outside, ping the outside ip, ping the webserver from
the firewall, ping the firewall from any internal machine, nslookup works
with the proper response from outside and inside. My webserver is properly
set up with the correct virtual hosts. I have used only the 1st rdr rule,
then added the second without success.
Can anyone see anything wrong that would cause this not to work?
#    $OpenBSD: pf.conf,v 1.2 2001/06/26 22:58:31 smart Exp $
#
# See pf.conf(5) for syntax and examples
# pass all packets in and out (these are the implicit last two rules)
outside="fxp0"
inside="ne1"
desktop="192.168.0.46"
webserver="192.168.0.201"
internal_net="192.168.0.0/24"
outside_ip="208.38.11.118"
#NoRouteIPs="{127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
#0.0.0.0/7, 2.0.0.0/8, 5.0.0.0/8, 10.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8,
#31.0.0.0/8, 69.0.0.0/8, 70.0.0.0/7, 72.0.0.0/5, 82.0.0.0/7, 84.0.0.0/6,
#88.0.0.0/5, 96.0.0.0/3, 127.0.0.0/8, 128.0.0.0/16, 128.66.0.0/16,
#169.254.0.0/16, 172.16.0.0/12, 191.255.0.0/16}"
#EMailAssholes="{207.34.112.32, 220.116.0.0/12, 218.70.0.0/16,
61.72.0.0/14}"
#IP Range                Who                    Block Specification
#207.34.112.32                Taco                    207.34.112.32
#220.116.0.0 - 220.127.255.255        Korea Telecom
#220.116.0.0/12
#218.70.0.0 - 218.70.255.255        CHINANET Chongqing  province
#network    218.70.0.0/16
#61.72.0.0 - 61.77.255.255        KOREA TELECOM                61.72.0.0/14
scrub in all
#NAT
nat on $outside from $internal_net to any -> $outside_ip
#web server
rdr on $outside proto tcp from any to any port 80 -> $webserver port 80
#rdr on $outside proto tcp from any to 192.168.0.201 port 80 -> $webserver
port 80
#default block all
#block in log on $outside all
#block emailassholes (fucking completely block the cunts.  not just port 25)
#block in log quick on $outside proto {tcp, udp} from $EMailAssholes to any
# don't allow anyone to spoof non-routeable addresses
#block in log quick on $outside from $NoRouteIPs to any
#block out log quick on $outside from any to $NoRouteIPs
#ssh
pass in quick log on $outside proto tcp from any to any port = 22 flags S/SA
keep state
#smtp
pass in quick on $outside proto tcp from any to any port = 25 flags S/SA
keep state
pass in quick on $outside proto udp from any to any port = 25 keep state
#dns
pass in quick on $outside proto udp from any to any port = 53 keep state
pass in quick on $outside proto tcp from any to any port = 53 flags S/SA
keep state
#http
pass in log quick on $outside proto tcp from any to any port = 80 flags S/SA
keep state
pass in log quick on $outside proto tcp from any to $webserver port = 80
flags S/SA keep state
#pass in log quick on $inside proto tcp from $webserver to $webserver port =
80 flags S/SA keep state
#pass in log quick on $inside proto tcp from $outside to $webserver port =
80 flags S/SA keep state
#ident
#pass in quick on $outside proto tcp from any to any port = 113
#default
pass out log on $outside proto { tcp, udp, icmp } all keep state