[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

help with rdr rule



Hello everybody,
I have the following problems (it's about 5 days I'm working on it) and I'm not able to solve. I have a web server on a Win2k + IIS on my internal network that is working fine, and I want it to be accessible from the internet through my OpenBSD box (which has a public IP.)
The problem is that I'm not able to access it. Accessing from the openbsd box to the internal server is ok (lynx http://my.internal.web.srv ) but when I try connecting from the outside world, it results in a 'Page cannot be displayed' from IE). Does anybody know why? Or can point me to the right direction?
Thank you,
Gabriele
Here is my pf.conf:
int_if = "fxp0"
ext_if = "fxp1"
ext_addr = "nnn.nnn.nnn.nnn"
int_addr = "my.internal.net"
icmp_types = "echoreq"
tcp_services = "{ 23 }"          # "{ 23, 80 }"
RDR = "rdr pass on" $ext_if "proto tcp from any to" $ext_addr "port"
RDR_UDP = "rdr pass on" $ext_if "proto udp from any to" $ext_addr "port"
# SSH
openssh_port = "22"
openssh_int_addr = "my.internal.srv"
# Terminal Server
ts_port = "3389"
ts_int_addr = "my.terminal.srv"
# WEB
web_port = "80"
web_ssl_port = "443"
web_int_addr = "my.web.srv"
# VPN
# --> PPTP
gre = "47"   # GRE = IP protocol 47
pptp_port = "1723"
# --> L2TP/IPSec with NAT-T
esp = "50"                            # IPSEC-ESP = IP protocol 50
ah = "51"                             # IPSEC-AH = IP protocol 51
l2tp_port = "1701"
isakmp_port = "500"
natt_port = "4500"
# --> VPN Server
vpn_int_addr = "my.vpn.srv"
priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }"
# Set default response for block filter rules
set block-policy return
# Turn on log on the external interface
set loginterface $ext_if
# Scrub all incoming traffic
scrub in all
# NAT all internal network
nat on $ext_if from $int_if:network to any -> $ext_if
# Use ftp-proxy for internal FTP clients to connect to Internet FTP servers
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# Redirect OpenSSH traffic to internal server
$RDR $openssh_port -> $openssh_int_addr port $openssh_port
# Redirect Terminal Server traffic to internal server
$RDR $ts_port -> $ts_int_addr port $ts_port
# Redirect Web traffic
$RDR $web_port -> $web_int_addr port $web_port
$RDR $web_ssl_port -> $web_int_addr port $web_ssl_port
# Redirect PPTP traffic to internal server
$RDR $pptp_port -> $vpn_int_addr port $pptp_port
rdr pass on $ext_if proto $gre from any to $ext_addr -> $vpn_int_addr
# Redirect L2TP traffic to internal server
#$RDR_UDP $l2tp_port -> $vpn_int_addr port $l2tp_port
$RDR_UDP $isakmp_port -> $vpn_int_addr port $isakmp_port
$RDR_UDP $natt_port -> $vpn_int_addr port $natt_port
#rdr pass on $ext_if proto $esp from any to $ext_addr -> $vpn_int_addr
#rdr pass on $ext_if proto $ah from any to $ext_addr -> $vpn_int_addr
# ==> DEFAULT DENY
block all
# pass all traffic on the loopback interface
pass quick on lo0 all
# block all traffic coming from/to private networks on the external interface
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# open port for incoming allowed TCP traffic on the external interface
pass in on $ext_if inet proto tcp from any to \
  $ext_if port $tcp_services flags S/SA keep state
# open allowed ICMP traffic
pass in inet proto icmp all icmp-type $icmp_types keep state
# permit all traffic trhough the internal interface
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
# permit all outgoing traffic to the Internet
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
# permit incoming connections to ftp-proxy
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state