My domain is registered with namecheap and I have Cox as my ISP with a dynamic IP. Cox blocks port 80 so I have a redirect on my firewall for 8888 -> 80. Next in line is a Pound reverse proxy listening on port 80 and redirects to the Web server listening on port 8080 on a different server.
I can access the domain from inside my LAN using the domainname and port (http://www.example.com:8888) and I get a return of my test web page. When I use the DMZ IP (NAT'd) of the web server I get a page return.
An nslookup returns the correct IP of the domain which is my dynamic IP.
When I try to access the domain externally from outside my LAN, I fail to return the page.
I used to have this working on OpenSolaris with Zones using nginx as a reverse proxy and Apache as the Web server and used IPFilter. Now I've switched to PF and Pound using a FreeBSD host with VirtualBox hosting the proxy and web server as guests.
What am I missing?
This is my pf.conf
*I know I can change the antispoof rule*
I can access the domain from inside my LAN using the domainname and port (http://www.example.com:8888) and I get a return of my test web page. When I use the DMZ IP (NAT'd) of the web server I get a page return.
An nslookup returns the correct IP of the domain which is my dynamic IP.
When I try to access the domain externally from outside my LAN, I fail to return the page.
I used to have this working on OpenSolaris with Zones using nginx as a reverse proxy and Apache as the Web server and used IPFilter. Now I've switched to PF and Pound using a FreeBSD host with VirtualBox hosting the proxy and web server as guests.
What am I missing?
This is my pf.conf
Code:
# Macros
ext_if="axe0"
prv_if="axe1"
dmz_if="axe2"
# prv_hosts -- the list of addresses of hosts on the
# screened LAN
prv_hosts = "{192.168.1.10, 192.168.1.15}"
# dmz_hosts -- the list of addresses of hosts in the
# DMZ
dmz_hosts = "{192.168.2.21/32, 192.168.2.22/32, 192.168.2.23/32}"
# dmz_www -- the address of the WWW server in the DMZ
dmz_www = "192.168.2.21/32"
# dmz_smtp -- the address of the SMTP server in the DMZ
dmz_smtp = "192.168.2.22/32"
# dmz_dns -- the address of the DNS server in the DMZ
dmz_dns = "192.168.2.23/32"
# Tables
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }
table <bruteforce> persist
# Options
set require-order yes
set block-policy drop
set optimization normal
set loginterface $ext_if
set fingerprints "/etc/pf.os"
set ruleset-optimization none
set state-policy if-bound
set timeout { frag 30, tcp.established 120 }
set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
# Translate packets
# nat for the private hosts
nat on $ext_if inet from $prv_hosts to any -> ($ext_if)
# nat for the dmz hosts
nat on $ext_if inet from $dmz_hosts to any -> ($ext_if)
# redirect connections to port 80 (HTTP) to DMZ
rdr on $ext_if inet proto tcp from any to ($ext_if) port 8888 -> $dmz_www port 80
rdr on $prv_if proto tcp from $prv_hosts to ($ext_if) port 8888 -> $dmz_www port 80
# redirect connections to port 25 (SMTP) to DMZ
rdr on $ext_if inet proto tcp from any to ($ext_if) port 25 -> $dmz_smtp
# redirect connections to port 53 (DNS) to DMZ
rdr on $ext_if inet proto {tcp, udp} from any to ($ext_if) port 53 -> $dmz_dns
# Normalize packets
match in all scrub (no-df random-id max-mss 1440 reassemble tcp)
match out all scrub (no-df random-id)
# Filter packets
# block all incoming connections sent from the outside
# log all blocked packets
block log all
pass quick on lo0 all
block drop in quick on $ext_if from <bruteforce>
block in quick on $ext_if from <rfc1918> to any
block out quick on $ext_if from any to <rfc1918>
block in quick on $ext_if inet from any to 255.255.255.255
block in log quick on $ext_if inet from urpf-failed to any
block in log quick on $ext_if inet from no-route to any
# Block anything coming from source we have no back routes for
block in log quick from no-route to any
# Anti-fake return scans
block return-rst out on $ext_if proto tcp all
block return-rst in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp in on $ext_if proto udp all
# Block and log outgoing packets that don't have our address as source,
# they are either spoofed or something is misconfigured. NAT disabled,
# (for instance), we want to be nice and don't send out garbage.
block out log quick on $ext_if from ! $ext_if to any
# Block nmap os detection scans
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
# special rule for ssh
pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA keep state (max-src-conn 1, max-src-conn-rate 3/5, overload <bruteforce> flush global)
# pass all connections originating from the firewall
pass out quick on $ext_if inet from ($ext_if) to any flags S/SA modulate state
# pass all connections originating from the screened LAN
pass in quick on $prv_if from $prv_hosts to any flags S/SA
# pass all connections originating from the DMZ
pass in quick on $dmz_if from $dmz_hosts to any flags S/SA
pass quick on $dmz_if from $prv_hosts to any flags S/SA
# pass all connections to the WWW host in the DMZ
pass in on $ext_if proto tcp from any to $dmz_www port 80 flags S/SA synproxy state
#pass all connections to the SMTP host in the DMZ
pass in on $ext_if proto tcp from any to $dmz_smtp port 25 flags S/SA synproxy state
# pass all connections to the DNS host in the DMZ
pass in on $ext_if inet proto {tcp, udp} from any to $dmz_dns port 53 flags S/SA keep state
# antispoof rules to block spoofed packets
antispoof log quick for ($ext_if)
antispoof log quick for $prv_if
antispoof log quick for $dmz_if
antispoof log quick for lo0