PF nat and rdr yield SYN_RCVD on internal machine

P

pfster

I can successfully connect from my external-facing machine (FBSD 13.2) to my internal machine's web server (14.0).
Trying to do so from $remote (a remote machine) through the my external-facing machine shows both
rdr in the external-facing machine's pflog and
ingress on my internal machine's pflog.
But my connection hangs.
netstat -na | grep "80:"
shows
tcp4 0 0 <$webserver>.80 <$remote>.59916 SYN_RCVD
tcp4 0 0 *.80 *.* LISTEN
tcp6 0 0 *.80 *.* LISTEN [/cmd]

The relevant rules on the external machine are below. (I include some of my additional rules for completeness).
Code: 
#nat on $ext_if from $localnet to any -> ($ext_if)
nat on $ext_if from $int_if to any -> ($ext_if)
 #rdr pass log on $ext_if proto tcp from !($ext_if) to ($ext_if) port 80 -> $webserver
rdr pass log on $ext_if inet proto tcp from any to $ext_if port 80 -> $webserver
# Neither of these rules matter, except for logging.
# With either the internal machine's pflog shows a connection, but netstat -na | grep "80:" shows "SYN_RCVD".
#pass in log quick on $ext_if inet proto tcp from any to $webserver port http keep state
# RDR rules in pf and source ip. - https://forums.freebsd.org/threads/rdr-rules-in-pf-and-source-ip.13715/
#pass out log quick on $int_if inet proto tcp from any to $webserver port http keep state

NOTE: I see the same results for rdr to internal's sshd.
What must I do to allow successful connections of remote attempts via rdr?

Follow-up:
With traffic appropriately passed to ext_if port 80 in pf.conf,
redir --laddr=<ext_ip> --lport=80 --caddr=<webserver> --cport=80
works. But it's a kludge, and I would like to firewall properly.
 
You must log in or register to reply here.
Back
Top