[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RDR for internal machine



On Monday, Mar 31, 2003, at 08:53 US/Pacific, Darley Ware wrote:

1. I have webserver on the internal LAN which listens on port 8000. I can
view the webserver internally by IP and by name (using LMHOST records). I
have not however been able to access the internal webserver from the
outside. I saw a post the weekend about name based virtualhosting on web
servers. This does not seem to apply to me as I have the server setup to
respond to IP and have no virtualdomains configured. So I guess my question
is do I have my redirect setup correctly, and if so where lies the problem?


2. (and this one really is not that important) I can not seem to get a
response to ICMP to outside addresses. I can ping both directions from the
firewall and I believe my pings are getting out, but the responses to not
return to the internal clients.

As the others commented, tcpdump logs would have been useful. You can also apply tcpdump to pflog0 to see what pf is logging. Make sure to use tcpdump's -e switch there.

Rule comments inline:

# OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
#
#
###-------------------------------------------------------------------- --
### MACROS - define interfaces: internet, intranet, wireless net
###


if_ext = "dc0"
if_int = "fxp0"
if_wir = "an0"

INT_Net="192.168.XX.XX/27"
WIFI_Net="192.168.YY.YY/27"

bad_ports = "69,135,137,138,139,445,524,548,1433,6000,31337,666,12345"

no_route = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
              255.255.255.255/32 }"

###-------------------------------------------------------------------- --
### Optimization
###


#set optimization aggressive
#set timeout tcp.established 3600
#set timeout { tcp.opening 30, tcp.closing 120 }
#set limit { states 20000, frags 5000 }

###-------------------------------------------------------------------- --
### statistics logging on external interface
###


set loginterface $if_ext
set loginterface $if_wir

###-------------------------------------------------------------------- --
### NAT Gateways
###


nat on $if_ext from $INT_Net to any -> $if_ext
nat on $if_ext from $WIFI_Net to any -> $if_ext

# Redirect outside ports to internal servers
rdr on dc0 proto tcp from any to (dc0) port 8000 -> 192.168.XX.71 port 8000
rdr on dc0 proto udp from any to (dc0) port 8000 -> 192.168.XX.71 port 8000


###-------------------------------------------------------------------- --
### DEFAULT RULES
###


# INCOMING DEFAULT: block and normalize all
#scrub in on all
block in log all

# OUTGOING DEFAULT: block all
block out log all

# SPECIAL IMMEDIATE BLOCKS:

# block bad ports and external broadcasts
block in quick proto { udp,tcp } from any to any port { = $bad_ports }
block in quick on $if_ext from any to 255.255.255.255
block in quick on $if_wir from any to 255.255.255.255

# block weird tcp packets on WAN:
block in quick on $if_ext inet proto tcp from any to any flags FUP/FUP
block in quick on $if_ext inet proto tcp from any to any flags SF/SFRA
block in quick on $if_ext inet proto tcp from any to any flags /SFRA

# block weird tcp packets on WiFi:
block in quick on $if_wir inet proto tcp from any to any flags FUP/FUP
block in quick on $if_wir inet proto tcp from any to any flags SF/SFRA
block in quick on $if_wir inet proto tcp from any to any flags /SFRA

# don't allow anyone to spoof non-routeable addresses
block in  quick on $if_ext from $no_route to any
block out quick on $if_ext from any to $no_route

###-------------------------------------------------------------------- --
### LOOPBACK
###


pass in quick on lo0 all
pass out quick on lo0 all

These are overridden by the $bad_ports block rule above. Not likely an issue, but something to be aware of.

###-------------------------------------------------------------------- --
### EXTERNAL INTERFACE
###



# INCOMING: accept ssh
pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 22 flags
S/SA keep state
pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 8000

No "keep state". This is a problem because...


# INCOMING DEFAULT: block all incoming

# OUTGOING: block non nated packets, pass the others
block out quick on $if_ext from !$if_ext/24 to any
pass out quick on $if_ext proto tcp from $if_ext/24 to any flags S/SA keep
state

...this rule cannot pick up SA/SA, which will be the outbound response to
the inbound S/SA for the webserver.


pass out quick on $if_ext proto { udp } from $if_ext/24 to any keep state

# ICMP: ping
# remove next to block ping from Internet
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state
pass out on $if_ext inet proto icmp all icmp-type 8 code 0 keep state

# OUTGOING DEFAULT: block all outgoing

###-------------------------------------------------------------------- --
### INTERNAL INTERFACE
###


# INCOMING: traffic to fw, accept ssh & dhcp only, block the rest
pass in quick on $if_int proto tcp from $if_int/27 to $if_int/27 port = 22
flags S/SA keep state
pass in quick on $if_int proto { tcp,udp } from $if_int/27 to $if_int/27
port = 67 keep state
block in quick on $if_int from any to $if_int/27


# INCOMING: frwd traffic to all destinations (except bad ports & broadcasts)
pass in quick on $if_int from $if_int/27 to any

No "keep state". This is a problem because...


# INCOMING DEFAULT: block the rest (spoofed packets...)

# OUTGOING: pass all.
pass out quick on $if_int proto { tcp,udp } from any to $if_int/27 keep
state

# ICMP: ping
pass out on $if_int inet proto icmp all icmp-type 8 code 0 keep state

...this rule cannot pick up the outgoing ICMP type 0 "echo reply", which will be the response to the incoming type 8 "echo request".

###-------------------------------------------------------------------- --
### WIRELESS INTERFACE
###


# INCOMING: traffic to fw, accept ssh & dhcp only, block the rest
pass in quick on $if_wir proto tcp from $if_wir/27 to $if_wir/27 port = 22
flags S/SA keep state
pass in quick on $if_wir proto { tcp,udp } from $if_wir/27 to $if_wir/27
port = 67 keep state
block in quick on $if_wir from any to $if_wir/27


# INCOMING: frwd traffic to all destinations (except bad ports & broadcasts)
pass in quick on $if_wir from $if_wir/27 to any


# INCOMING DEFAULT: block the rest (spoofed packets...)

# OUTGOING: pass all.
pass out quick on $if_wir proto { tcp,udp } from any to $if_wir/27 keep
state

# ICMP: ping

Suggestions: Reorganize your ruleset a bit. Don't mix quick and non-quick rules; it becomes hard to follow the flow, and this ruleset is not complex enough to need both. The "block" rules at the beginning would be an exception, since they're setting "defaults", and defaults are easy to understand when following the rule flow.

In some places you use "$if_int/27" where you could simply use
"$INT_Net".

Why $if_ext/24?  You're only NATing from whatever address is assigned
to $if_ext anyway.  Do you have traffic using other source addresses in
that netblock?  If the issue is a changing address, you can enclose it
in () to force an automatic rule update when necessary.