Hello
I am trying to set up a network environment with the following purpose:
- Users in the private network can access to internet.
- Users can remote control a specific PC in the private network from internet through MS Remote Desktop.
- No pb to access to internet from the LAN but the RDP port is closed
Could you say to me what's wrong?
Thanks in advance,
Bruno
pf.conf:
I am trying to set up a network environment with the following purpose:
- Users in the private network can access to internet.
- Users can remote control a specific PC in the private network from internet through MS Remote Desktop.
- No pb to access to internet from the LAN but the RDP port is closed
Could you say to me what's wrong?
Thanks in advance,
Bruno
pf.conf:
Code:
## internal and external interfaces
int_if = "bge0"
ext_if = "xl0"
# Ports we want to allow access to from the outside world on our local system (ext_if)
tcp_services = "{ 3389, 80, 443 }"
# ping requests
icmp_types = "echoreq"
# Private networks, we are going to block incoming traffic from them
priv_nets = "{ 127.0.0.0/8, 192.168.1.0/24 }"
### options
set block-policy drop
set loginterface $ext_if
set skip on lo0
### Scrub
# From the PF user's guide (http://www.openbsd.org/faq/pf/index.html):
# "Scrubbing" is the normalization of packets so there are no ambiguities in
# interpretation by the ultimate destination of the packet. The scrub directive
# also reassembles fragmented packets, protecting some operating systems from
# some forms of attack, and # drops TCP packets that have invalid flag
# combinations.
scrub in all
### nat/rdr
# NAT traffic from internal network to external network through external
# interface
nat on $ext_if from $int_if:network to any -> ($ext_if)
# redirect FTP traffic to FTP proxy on localhost:8021
# requires ftp-proxy to be enabled in /etc/inetd.conf
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 3389 -> 192.168.1.233 port 3389
### filter rules
block all
# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any
# block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets
# allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
# allow in FTP control port
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state
# allow in ping replies
pass in inet proto icmp all icmp-type $icmp_types keep state
# allow all traffic from internal network to internal interface
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
# allow all traffic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass quick on $ext_if proto tcp from any to 192.168.1.233 port 3389 keep state