[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: help with rdr rule



THANK YOU SO MUCH!!!!
My fault was in your B). I'm actually migrating my fireall from MS ISA server to OpenBSD, and the iis' gw pointed to the old isa server...
Thank you so much to all that has answered my question!
bye,
Gabriele
-----Original Message-----
From: Juan Pablo Feria [mailto:[email protected]]
Sent: lunedì 3 maggio 2004 20.03
To: Gabriele Oleotti; [email protected]
Subject: Re: help with rdr rule
Gabriele:
A) Did you test the redirection on simplier rules like
rdr proto tcp from any to $wwwserver_ext port 80 ->  $wwwserver_int port
80     if works, then test your rules
B) Re-check if $wwwserver_int has your BSD Firewall as his Default GW
C) Debug with tcpdump the packets run a tcpdump port 80  in both  fw
interfaces and find where is the problem
D) If you can, move to Apache on BSD ;)
Hope it helps...
Good Luck
On Mon, 2004-05-03 at 07:48, Gabriele Oleotti wrote:
> Hello everybody,
> I have the following problems (it's about 5 days I'm working on it) and I'm not able to solve. I have a web server on a Win2k + IIS on my internal network that is working fine, and I want it to be accessible from the internet through my OpenBSD box (which has a public IP.)
> 
> The problem is that I'm not able to access it. Accessing from the openbsd box to the internal server is ok (lynx http://my.internal.web.srv ) but when I try connecting from the outside world, it results in a 'Page cannot be displayed' from IE). Does anybody know why? Or can point me to the right direction?
> 
> Thank you,
> Gabriele
> 
> Here is my pf.conf:
> 
> int_if = "fxp0"
> ext_if = "fxp1"
> 
> ext_addr = "nnn.nnn.nnn.nnn"
> int_addr = "my.internal.net"
> 
> icmp_types = "echoreq"
> 
> tcp_services = "{ 23 }"          # "{ 23, 80 }"
> 
> RDR = "rdr pass on" $ext_if "proto tcp from any to" $ext_addr "port"
> RDR_UDP = "rdr pass on" $ext_if "proto udp from any to" $ext_addr "port"
> 
> # SSH
> openssh_port = "22"
> openssh_int_addr = "my.internal.srv"
> 
> # Terminal Server
> ts_port = "3389"
> ts_int_addr = "my.terminal.srv"
> 
> # WEB
> web_port = "80"
> web_ssl_port = "443"
> web_int_addr = "my.web.srv"
> 
> # VPN
> # --> PPTP
> gre = "47"   # GRE = IP protocol 47
> pptp_port = "1723"
> 
> # --> L2TP/IPSec with NAT-T
> esp = "50"                            # IPSEC-ESP = IP protocol 50
> ah = "51"                             # IPSEC-AH = IP protocol 51
> l2tp_port = "1701"
> isakmp_port = "500"
> natt_port = "4500"
> 
> # --> VPN Server
> vpn_int_addr = "my.vpn.srv"
> 
> priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }"
> 
> # Set default response for block filter rules
> set block-policy return
> 
> # Turn on log on the external interface
> set loginterface $ext_if
> 
> # Scrub all incoming traffic
> scrub in all
> 
> # NAT all internal network
> nat on $ext_if from $int_if:network to any -> $ext_if
> 
> # Use ftp-proxy for internal FTP clients to connect to Internet FTP servers
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> 
> # Redirect OpenSSH traffic to internal server
> $RDR $openssh_port -> $openssh_int_addr port $openssh_port
> 
> # Redirect Terminal Server traffic to internal server
> $RDR $ts_port -> $ts_int_addr port $ts_port
> 
> # Redirect Web traffic
> $RDR $web_port -> $web_int_addr port $web_port
> $RDR $web_ssl_port -> $web_int_addr port $web_ssl_port
> 
> # Redirect PPTP traffic to internal server
> $RDR $pptp_port -> $vpn_int_addr port $pptp_port
> rdr pass on $ext_if proto $gre from any to $ext_addr -> $vpn_int_addr
> 
> # Redirect L2TP traffic to internal server
> #$RDR_UDP $l2tp_port -> $vpn_int_addr port $l2tp_port
> $RDR_UDP $isakmp_port -> $vpn_int_addr port $isakmp_port
> $RDR_UDP $natt_port -> $vpn_int_addr port $natt_port
> #rdr pass on $ext_if proto $esp from any to $ext_addr -> $vpn_int_addr
> #rdr pass on $ext_if proto $ah from any to $ext_addr -> $vpn_int_addr
> 
> # ==> DEFAULT DENY
> block all
> 
> # pass all traffic on the loopback interface
> pass quick on lo0 all
> 
> # block all traffic coming from/to private networks on the external interface
> block drop in  quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
> 
> # open port for incoming allowed TCP traffic on the external interface
> pass in on $ext_if inet proto tcp from any to \
>   $ext_if port $tcp_services flags S/SA keep state
> 
> # open allowed ICMP traffic
> pass in inet proto icmp all icmp-type $icmp_types keep state
> 
> # permit all traffic trhough the internal interface
> pass in  on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
> 
> # permit all outgoing traffic to the Internet
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
> 
> # permit incoming connections to ftp-proxy
> pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
-- 
G               [email protected]=NSM1179412=QCI+++z++++r---
I                                                              -
T                  Juan Pablo Feria Gomez.                     h
/    Network Administrator/Transportes Pitic S.A. de C.V.      +
M                                                              +
Ud?s+:+a-C++ULBP+L++$E---W++N--o--wM-PS+PE++Yt---X--R--tv--D+G e
You know you've spent too much time on the computer when you spill milk and the first thing you think is, 'edit, undo.'