Hello all,
I am posting because I am having a problem with my rule set for my gateway. I understand this is the FreeBSD forums of course but I must point out that this rule set is for an OpenBSD 4.6 server running the default version of PF. I have bought the 'Book of PF' and still have issues with (what I believe to be) packet reflection/redirection. Essentially my rule set works great for my internal network but when I try to access services from an outside network my fw blocks them (or never forwards them to be precise). To debug and troubleshoot this issue I have watched tcpdump and it seems that when I try to access any internal services from within my apartment such as http, ssh, ftp etc etc everything works (packets go from my external NIC to the internal NIC then to the switch, ultimately to the server and then back) However...when I am outside of my apartment and try to access any network services, the packets come in from the external interface (attached to the modem) and are dropped before reaching the internal interface. For those that have the same book the approach I took to mitigate this issue is discussed on page 58.
I have posted my ruleset below, any help would be greatly appreciated! In addition I have another question I would like to ask. My webserver ($mercury in the ruleset) has a number of jails running, which each contain more services. One for example is ftp, another is irc. My question is, since they are jails, do I need to have a ruleset on the webserver to redirect such traffic after it has been forwarded from the gateway/router? Or is the logic in the below ruleset enough for it to pass the packets through, in which case the webserver will know which jail (virtual IP) to pass it off to?
Thank you in advance, and if the ruleset for my webserver is needed to fix this issue I will gladly post it.
I know that $ftpJail and $ircJail are not being used in this ruleset, however I wanted to get everything work before I implemented those, and as mentioned in my 2nd question I was not sure if for services being run on $mercury's jails needed to be explicitly mentioned, or if passing them to $mercury was enough (and then having the ruleset on $mercury pass them to the jail) I have tried every possible combination I could think of...all to no avail. Please help :r
I am posting because I am having a problem with my rule set for my gateway. I understand this is the FreeBSD forums of course but I must point out that this rule set is for an OpenBSD 4.6 server running the default version of PF. I have bought the 'Book of PF' and still have issues with (what I believe to be) packet reflection/redirection. Essentially my rule set works great for my internal network but when I try to access services from an outside network my fw blocks them (or never forwards them to be precise). To debug and troubleshoot this issue I have watched tcpdump and it seems that when I try to access any internal services from within my apartment such as http, ssh, ftp etc etc everything works (packets go from my external NIC to the internal NIC then to the switch, ultimately to the server and then back) However...when I am outside of my apartment and try to access any network services, the packets come in from the external interface (attached to the modem) and are dropped before reaching the internal interface. For those that have the same book the approach I took to mitigate this issue is discussed on page 58.
I have posted my ruleset below, any help would be greatly appreciated! In addition I have another question I would like to ask. My webserver ($mercury in the ruleset) has a number of jails running, which each contain more services. One for example is ftp, another is irc. My question is, since they are jails, do I need to have a ruleset on the webserver to redirect such traffic after it has been forwarded from the gateway/router? Or is the logic in the below ruleset enough for it to pass the packets through, in which case the webserver will know which jail (virtual IP) to pass it off to?
Thank you in advance, and if the ruleset for my webserver is needed to fix this issue I will gladly post it.
Code:
intIF = "rl1"
extIF = "rl0"
localNet = $intIF:network
mercury = "192.168.0.101"
ftpJail = "192.168.0.102"
ircJail = "192.168.0.103"
icmpTypes = "{echoreq, unreach}"
match in on $intIF scrub (no-df random-id)
match in on $extIF scrub (reassemble tcp)
pass inet proto icmp all icmp-type $icmpTypes keep state
antispoof for $extIF
antispoof for $intIF
nat on $extIF from $localNet to any -> ($extIF)
rdr on $intIF proto tcp from $localNet to $extIF port 80 -> $mercury
rdr on $intIF proto tcp from $localNet to $extIF port 2222 -> $mercury
rdr on $intIF proto tcp from $localNet to $extIF port 6665 -> $mercury
no nat on $intIF proto tcp from $intIF to $localNet
nat on $intIF proto tcp from $localNet to $mercury port 80 -> $intIF
nat on $intIF proto tcp from $localNet to $mercury port 2222 -> $intIF
nat on $intIF proto tcp from $localNet to $mercury port 6665 -> $intIFI know that $ftpJail and $ircJail are not being used in this ruleset, however I wanted to get everything work before I implemented those, and as mentioned in my 2nd question I was not sure if for services being run on $mercury's jails needed to be explicitly mentioned, or if passing them to $mercury was enough (and then having the ruleset on $mercury pass them to the jail) I have tried every possible combination I could think of...all to no avail. Please help :r
