[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: help with rdr rule



Gabriele:
A) Did you test the redirection on simplier rules like
rdr proto tcp from any to $wwwserver_ext port 80 ->  $wwwserver_int port
80     if works, then test your rules
B) Re-check if $wwwserver_int has your BSD Firewall as his Default GW
C) Debug with tcpdump the packets run a tcpdump port 80  in both  fw
interfaces and find where is the problem
D) If you can, move to Apache on BSD ;)
Hope it helps...
Good Luck
On Mon, 2004-05-03 at 07:48, Gabriele Oleotti wrote:
> Hello everybody,
> I have the following problems (it's about 5 days I'm working on it) and I'm not able to solve. I have a web server on a Win2k + IIS on my internal network that is working fine, and I want it to be accessible from the internet through my OpenBSD box (which has a public IP.)
> 
> The problem is that I'm not able to access it. Accessing from the openbsd box to the internal server is ok (lynx http://my.internal.web.srv ) but when I try connecting from the outside world, it results in a 'Page cannot be displayed' from IE). Does anybody know why? Or can point me to the right direction?
> 
> Thank you,
> Gabriele
> 
> Here is my pf.conf:
> 
> int_if = "fxp0"
> ext_if = "fxp1"
> 
> ext_addr = "nnn.nnn.nnn.nnn"
> int_addr = "my.internal.net"
> 
> icmp_types = "echoreq"
> 
> tcp_services = "{ 23 }"          # "{ 23, 80 }"
> 
> RDR = "rdr pass on" $ext_if "proto tcp from any to" $ext_addr "port"
> RDR_UDP = "rdr pass on" $ext_if "proto udp from any to" $ext_addr "port"
> 
> # SSH
> openssh_port = "22"
> openssh_int_addr = "my.internal.srv"
> 
> # Terminal Server
> ts_port = "3389"
> ts_int_addr = "my.terminal.srv"
> 
> # WEB
> web_port = "80"
> web_ssl_port = "443"
> web_int_addr = "my.web.srv"
> 
> # VPN
> # --> PPTP
> gre = "47"   # GRE = IP protocol 47
> pptp_port = "1723"
> 
> # --> L2TP/IPSec with NAT-T
> esp = "50"                            # IPSEC-ESP = IP protocol 50
> ah = "51"                             # IPSEC-AH = IP protocol 51
> l2tp_port = "1701"
> isakmp_port = "500"
> natt_port = "4500"
> 
> # --> VPN Server
> vpn_int_addr = "my.vpn.srv"
> 
> priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }"
> 
> # Set default response for block filter rules
> set block-policy return
> 
> # Turn on log on the external interface
> set loginterface $ext_if
> 
> # Scrub all incoming traffic
> scrub in all
> 
> # NAT all internal network
> nat on $ext_if from $int_if:network to any -> $ext_if
> 
> # Use ftp-proxy for internal FTP clients to connect to Internet FTP servers
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> 
> # Redirect OpenSSH traffic to internal server
> $RDR $openssh_port -> $openssh_int_addr port $openssh_port
> 
> # Redirect Terminal Server traffic to internal server
> $RDR $ts_port -> $ts_int_addr port $ts_port
> 
> # Redirect Web traffic
> $RDR $web_port -> $web_int_addr port $web_port
> $RDR $web_ssl_port -> $web_int_addr port $web_ssl_port
> 
> # Redirect PPTP traffic to internal server
> $RDR $pptp_port -> $vpn_int_addr port $pptp_port
> rdr pass on $ext_if proto $gre from any to $ext_addr -> $vpn_int_addr
> 
> # Redirect L2TP traffic to internal server
> #$RDR_UDP $l2tp_port -> $vpn_int_addr port $l2tp_port
> $RDR_UDP $isakmp_port -> $vpn_int_addr port $isakmp_port
> $RDR_UDP $natt_port -> $vpn_int_addr port $natt_port
> #rdr pass on $ext_if proto $esp from any to $ext_addr -> $vpn_int_addr
> #rdr pass on $ext_if proto $ah from any to $ext_addr -> $vpn_int_addr
> 
> # ==> DEFAULT DENY
> block all
> 
> # pass all traffic on the loopback interface
> pass quick on lo0 all
> 
> # block all traffic coming from/to private networks on the external interface
> block drop in  quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
> 
> # open port for incoming allowed TCP traffic on the external interface
> pass in on $ext_if inet proto tcp from any to \
>   $ext_if port $tcp_services flags S/SA keep state
> 
> # open allowed ICMP traffic
> pass in inet proto icmp all icmp-type $icmp_types keep state
> 
> # permit all traffic trhough the internal interface
> pass in  on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
> 
> # permit all outgoing traffic to the Internet
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
> 
> # permit incoming connections to ftp-proxy
> pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
-- 
G               [email protected]=NSM1179412=QCI+++z++++r---
I                                                              -
T                  Juan Pablo Feria Gomez.                     h
/    Network Administrator/Transportes Pitic S.A. de C.V.      +
M                                                              +
Ud?s+:+a-C++ULBP+L++$E---W++N--o--wM-PS+PE++Yt---X--R--tv--D+G e
You know you've spent too much time on the computer when you spill milk and the first thing you think is, 'edit, undo.'