Solved Basic PF Config for redirect traffic to webserver

[hephaestus]

Hi, I have a small board that acts as my router/DHCP/Dns Server and Firewall.
I need to pull up a "basic" pf configuration to redirect traffic to my server running a webserver(nginx).

For now I managed to write something but I didn't succeed in my intent:

ext_if="re0"
int_if="re1"

webports = "{80,443}"
server = "192.168.1.16".
tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh, http}"

set skip on lo
scrub in

nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> $server port 80

block in

pass out keep state
pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services
pass quick on $int_if no state

But doesn't work as expected..

 

[SirDice]

rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> $server port 80

Should be:

rdr pass on $ext_if proto tcp from any to ($ext_if) port 80 -> $server port 80

Note that if you use rdr pass the traffic will automatically be allowed and all other filter rules are ignored.

pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services

Only allow incoming DNS on your external interface if you're running an authoritative DNS server. If you don't know what that is then you're not running it.

 

[hephaestus]

Okay i've changed from $ext_if to ($ext_if) but it still doesn't work.

I can with python http.server make it go if I use it directly from the machine with freebsd.
BUT it's not accessible from outside, only from the lan.

I add that the router also manages PPPoE, don't know if this implies anything..

Thanks for pointing me out that i should not allow incoming DNS, i'm not running an authoritative DNS server

 

[SirDice]

Test the redirection from outside your network. You cannot test this from inside your network. Connections to the external IP address from inside your LAN won't pass through your $ext_if and thus the redirect is never applied.

 

[hephaestus]

Test the redirection from outside your network. You cannot test this from inside your network. Connections to the external IP address from inside your LAN won't pass through your $ext_if and thus the redirect is never applied.

I've tested the redirection from outside my network ( and using different machines ) but doesn't work.

IF i remove "block in" and run a webserver inside my freebsd machine i can access from outside..
But still doesn't work the redirection..

 

[hephaestus]

I seem to have found the problem:
Changing the $ext_if from re0 to tun0 solved it.

 

[SirDice]

Changing the $ext_if from re0 to tun0 solved it.

Do you need to use PPPoA/PPPoE to connect to the internet? Then yes, tun0 is your actual external interface.

IF i remove "block in" and run a webserver inside my freebsd machine i can access from outside..

Nope, probably because you changed something else too. The rdr pass will allow the traffic and ignore any and all other filter rules.

The best tool to diagnose issues like this is by using tcpdump(1). Actually seeing the packets can be quite enlightening.

 

[hephaestus]

Do you need to use PPPoA/PPPoE to connect to the internet? Then yes, tun0 is your actual external interface.


Nope, probably because you changed something else too. The rdr pass will allow the traffic and ignore any and all other filter rules.

The best tool to diagnose issues like this is by using tcpdump(1). Actually seeing the packets can be quite enlightening.

Thanks!
I have a probably stupid Question:
What kind of relation is there between re0 ( the actual Physical Interface ) and tun0?

 

[SirDice]

In your case it's the PPPoE/PPPoA tunnel (tun0) that actually connects you to the internet. The re0 interface only connects your computer to the modem. The tunnel runs on top of that re0 connection.