[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

urgent: rdr issue



Hello,
I'm having an issue with 'rdr' and PF on OpenBSD 3.3 (I know it's an
old version, but I cannot upgrade to something more recent right
now).
My network layout it as follows:
                    _____
                   |    |-- tun0   (PPPoE, dynamic IP)
  Internal  -- de0 | GW | 192.168.108/24    |    |-- rl0    (static IP)
                   ------
The default route is for traffic to go out of tun0.
I have the following two rules (full pf.conf at the bottom):
ext_if1 = "rl0"
ext_if2 = "tun0"
[...]
rdr on $ext_if1 proto tcp from any to any port { 22 80 } -> $server
rdr on $ext_if2 proto tcp from any to any port { 22 80 } -> $server
[...]
If I try connecting to ports 22 or 80 on the dynamic IP (ext_if2) I
get the sent to the internal server, if I try on the static IP
(ext_if1) then I don't get a connection.
Using tcpdump, the TCP connection request to ext_if1/rl0 actually
makes it to the internal server, $server it generates an ACK for the
3-way handshake, the ACK is received on de0, but it's never passed
back to the originating host on the outside.
A bit of 'funky' stuff occuring: all internal SSH traffic is forced
out on the static IP (functinallity works fine). We also have a PPP
modem connection to another site and I'm routing traffic to it.
Any ideas?
####################################
# Macros
####################################
lan_net = "192.168.108.0/24"
int_if  = "de0"
ext_if1 = "rl0"
ext_if2 = "tun0"
ext_all = "{" $ext_if2 $ext_if1 "}"
ext_gw1 = "63.250.."
ext_gw2 = "64.230.."
# The internal address of the server
server = "192.168.108.XXX"
# Some customers use different ports for SSH logins
ssh_ports  = "{ ssh telnet }"
####################################
# Tables
####################################
####################################
# Options
####################################
set block-policy return
####################################
# Traffic Normalization
####################################
####################################
# Queueing / Shaping
####################################
####################################
# Translation
####################################
# nat outgoing connections on each internet interface
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
nat on ppp0     from $lan_net to any -> (ppp0)
# Redirect SSH and web internally
rdr on $ext_if1 proto tcp from any to any port { 22 80 } -> $server
rdr on $ext_if2 proto tcp from any to any port { 22 80 } -> $server
# Redirect ftp to proxy
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1       \
        port 8021
####################################
# Packet Filtering
####################################
# default deny
#block in  log from any to any
#block out log from any to any
# Allow all on localhost
pass quick on lo0 all
# Send connections out a particular interface
pass in quick log on $int_if route-to ppp0                        \
        proto tcp from $lan_net to 10.0.0.0/8 port $ssh_ports     \
        keep state
pass in quick log on $int_if route-to { ($ext_if1 $ext_gw1) }     \
        proto tcp from $lan_net to port $ssh_ports                \
        keep state
# Allow redirection of ports to OSC
pass in log on $ext_all proto tcp from any to $server port 22       \
        flags S/SA keep state
pass in log on $ext_all proto tcp from any to $server port 80       \
        flags S/SA keep state
# Allow on internal interface to/from internal network
pass in  on $int_if from  $int_if:network to any  keep state
pass out on $int_if from  any to $int_if:network  keep state
# Allow traffic to go out on external interface(s)
pass out on $ext_all proto tcp  all modulate state flags S/SA
pass out on $ext_all proto { udp, icmp } all keep state
# ftp proxy rules / queuing
pass  in on $ext_all inet proto tcp from any port 20 to $ext_all    \
        port 55000 >< 57000 user proxy flags S/SA keep state
pass out on $ext_all inet proto tcp from $ext_all                   \
        to any port 20 flags S/AUPRFS modulate state
pass out on $ext_all inet proto tcp from $ext_all                   \
        to any port > 1024 flags S/AUPFRS modulate state
# EOF