Hi,
I am using a FreeBSD 13.0 box as internet router/gateway. The hardware has two physical NICs, one is for the internal net, the other goes to my DSL connection.
vtnet0 is my internal network interface, tun0 my external for PPPoE.
What I am trying to achieve is to forward all incoming traffic to external ip address TCP port 5060 to an internal host, and this does not work. Firewall used is PF.
What I am missing here in my below rule set? A connection test from an external IP leads to "connection refused", while on the local machine port 5060 definitely is up and running.
I am using a FreeBSD 13.0 box as internet router/gateway. The hardware has two physical NICs, one is for the internal net, the other goes to my DSL connection.
vtnet0 is my internal network interface, tun0 my external for PPPoE.
What I am trying to achieve is to forward all incoming traffic to external ip address TCP port 5060 to an internal host, and this does not work. Firewall used is PF.
What I am missing here in my below rule set? A connection test from an external IP leads to "connection refused", while on the local machine port 5060 definitely is up and running.
Code:
#################################
#### Packet Firewall Ruleset ####
#################################
###################
#### Variables ####
###################
# External interface
ext_if="tun0"
# Internal interface
int_if="vtnet0"
# Follow RFC1918 and don't route to non-routable IPs
# http://www.iana.org/assignments/ipv4-address-space
# http://rfc.net/rfc1918.html
nonroute= "{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3,
255.255.255.255 }"
# Set allowed ICMP types
# Blocking ICMP entirely is bad practice and will break things,
# FreeBSD applies rate limiting by default to mitigate attacks.
icmp_types = "{ 0, 3, 4, 8, 11, 12 }"
####################################
#### Options and optimizations #####
####################################
# Set interface for logging (statistics)
set loginterface $ext_if
# Drop states as fast as possible without having excessively low timeouts
set optimization aggressive
# Block policy, either silently drop packets or tell sender that request is blocked
set block-policy return
# Don't bother to process (filter) following interfaces such as loopback:
set skip on lo0
# Scrub traffic
# Add special exception for game consoles such as PS3 and PS4 (NAT type 2 vs 3)
# scrub from CHANGEME to any no-df random-id fragment reassemble
scrub on $ext_if all
#######################
#### NAT & Proxies ####
#######################
# Enable NAT and tell pf not to change ports if needed
# Add special exception for game consoles such as PS3 and PS4 (NAT type 2 vs 3)
# ie static-port mapping. Do NOT enable both rules.
# nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
nat on $ext_if from $int_if:network to any -> ($ext_if)
# Redirect ftp connections to ftp-proxy
rdr pass log on $ext_if proto tcp from any to ($ext_if) port 5060 -> 192.168.1.162 port 5060
# Enable ftp-proxy (active connections)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Enable UPnP (requires miniupnpd, game consoles needs this)
# rdr-anchor "miniupnpd"
# Anchors needs to be set after nat/rdr-anchor
# Same as above regarding miniupnpd
anchor "ftp-proxy/*"
# anchor "miniupnpd"
################################
#### Rules inbound (int_if) ####
################################
# Pass on everything incl multicast
pass in quick on $int_if inet all keep state
#################################
#### Rules outbound (int_if) ####
#################################
# Pass on everything incl multicast
pass out quick on $int_if inet all keep state
################################
#### Rules inbound (ext_if) ####
################################
# Drop packets from non-routable addresses immediately
block drop in quick on $ext_if from $nonroute to any
# Allow DHCP
pass in quick on $ext_if inet proto udp to ($ext_if) port { 67, 68 }
# Allow ICMP
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types
# Allow FTPs to connect to the FTP-proxy
pass in quick on $ext_if inet proto tcp to ($ext_if) port ftp-data user proxy
# Block everything else
block in on $ext_if all
#################################
#### Rules outbound (ext_if) ####
#################################
# Drop packets to non-routable addresses immediately, allow everything else
block drop out quick on $ext_if from any to $nonroute
pass out on $ext_if all