PF NAT: Ports are not being forwarded.

L

LipkeGu

Hey im using FreeBSD 15.x with PF. So far my rules are working but i cant get any port forwarding to work. As i understood
i have to specify an "rdr" and after that an related pass rule. I tested the rules with logging and saw that the traffic in the log (blocked).

Code: 
07:29:16.264482 IP ********.49652 > 10.10.0.2.5101: Flags [S], seq 107083461, win 65535, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0


moving the block rule around doesnt resolve the problem.

/etc/pf.conf
Code: 
#################################
#### Packet Firewall Ruleset ####
#################################

###################
#### Variables ####
###################

ext_if="vtnet0"
int_if="{ vtnet1, vtnet2 }"

load anchor nat-portforward from "/etc/pf/nat_portforward.conf"

nonroute= "{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,
        172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3,
        255.255.255.255 }"

icmp_types = "{ 0, 3, 4, 8, 11, 12 }"

####################################
#### Options and optimizations #####
####################################

set loginterface $ext_if
set optimization aggressive
set block-policy drop
set skip on lo0
scrub on $ext_if all no-df fragment reassemble

#######################
#### NAT & Proxies ####
#######################

nat on $ext_if from !($ext_if:network) to any -> ($ext_if)

# FTP proxy
rdr on $int_if proto tcp from $int_if to any port 21 -> 127.0.0.1 port 8021

block in log on $ext_if all
anchor nat-portforward

################################
#### Rules inbound (int_if) ####
################################

Anchor: /etc/pf/nat_portforward.conf
Code: 
####################################################
#### Packet Firewall Ruleset - NAT Port forward ####
####################################################

###################
#### Variables ####
###################

ext_if="vtnet0"
int_if="{ vtnet1, vtnet2 }"

# FTP proxy
rdr on $int_if proto tcp from $int_if to any port 21 -> 127.0.0.1 port 8021
rdr pass on $ext_if proto {tcp, udp } from any to any port 5101 -> 10.232.128.100 port 3389
rdr pass on $ext_if proto tcp from any to any port 25 -> 10.232.136.103

pass in quick on $ext_if inet proto {tcp, udp } from any to ($ext_if) port 5101 keep state
pass in quick on $ext_if proto tcp from any to any port { 25, 80, 443, 3389 } keep state

Greets...
 
There's no pass rule for port 21.

Also
Code: 
# FTP proxy
rdr on $int_if proto tcp from $int_if to any port 21 -> 127.0.0.1 port 8021
Translate traffic incoming on the $int_if with a source address of $int_if? That's exactly nothing, packets with source address of $int_if, don't come in on that interface. They're already there.
 
"rdr" vs "rdr pass"
when you use "rdr" you need to have separate pass rule for the traffic
when you use "rdr pass" you don't need to have separated pass rule.

Example:
Code: 
rdr on $ext_if proto tcp from any to 1.2.3.4 port 13389 -> 192.168.10.3 port 3389
pass in on $ext_if inet proto tcp from any to any port 3389 keep state
Code: 
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
 
VladiBG said:
when you use "rdr pass" you don't need to have separated pass rule.
Click to expand...
Also, other rules are entirely skipped.
Code: 
rdr pass on $ext_if proto tcp from any to 1.2.3.4 port 13389 -> 192.168.10.3 port 3389
block in on $ext_if from $badguys to ($ext_if)
The block rule will never get evaluated.

Code: 
     If the pass modifier is given, packets matching the translation rule are
     passed without inspecting the filter rules:
 
I changed the rule:
Code: 
rdr pass log on $ext_if proto { tcp, udp } from any to ($ext_if) port 5101 -> 10.232.128.100 port ms-wbt-server

But I'm still note able to get the port redirection to work.

I split out parts from pf.conf into anchors (files)...

Code: 
#### Variables ####

ext_if="vtnet0"
int_if="{ vtnet1, vtnet2 }"

load anchor nat-portforward from "/etc/pf/nat_portforward.conf"
load anchor filter-int-input from "/etc/pf/filter_int_input.conf"
load anchor filter-int-output from "/etc/pf/filter_int_output.conf"

nonroute= "{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,
        172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3,
        255.255.255.255 }"

icmp_types = "{ 0, 3, 4, 8, 11, 12 }"

#### Options and optimizations #####

set loginterface $ext_if
#set optimization aggressive
set block-policy drop
set skip on lo0

scrub on $ext_if all no-df fragment reassemble

#### NAT & Proxies ####

nat on $ext_if from !($ext_if:network) to any -> ($ext_if)

#block in log on $ext_if all

anchor nat-portforward

#### Rules inbound (int_if) ####

anchor filter-int-input

#### Rules outbound (int_if) ####

anchor filter-int-output

#### Rules inbound (ext_if) ####

block drop in quick on $ext_if from $nonroute to any

pass in quick on $ext_if inet proto tcp to ($ext_if) port 8822 keep state
pass in quick on $ext_if inet proto tcp to ($ext_if) port 80 keep state

pass quick inet proto udp to any port { 67, 68 } keep state
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep state

# IPSec
pass quick inet proto udp from any to any port { 500, 4500 } keep state
pass quick inet proto esp from any to any keep state
pass quick inet proto ah from any to any keep state
Code: 
#### Rules outbound (ext_if) ####
block drop out quick on $ext_if from any to $nonroute
pass out quick on $ext_if all keep state

block in log on $ext_if all

LOg:
Code: 
1778237967.088237 rule 20/0(match): block in on vtnet0: (tos 0x0, ttl 114, id 21468, offset 0, flags [none], proto TCP (6), length 52)
    130.149.****.50190 > 10.10.0.2.5101: Flags [S], cksum 0x3c7e (correct), seq 367019911, win 65535, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
 
Im using mstsc and connect from outside to the server...

Code: 
clear_tmp_enable="YES"
syslogd_flags="-ss"
hostname="FB-FSN-FW02"
keymap="de.acc.kbd"
ifconfig_vtnet0="inet 10.10.0.2 netmask 255.255.255.252 up"
defaultrouter="10.10.0.1"
sshd_enable="YES"
ntpd_enable="YES"
dhcpd_enable="YES"
dhcpd_ifaces="vtnet1 vtnet2"

pf_enable="YES"
pflog_enable="YES"
moused_nondefault_enable="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
ifconfig_vtnet1="inet 10.232.136.1 netmask 255.255.248.0 up"
ifconfig_vtnet2="inet 10.232.128.1 netmask 255.255.248.0 up"
strongswan_enable="YES"
mrouted_enable="YES"
bgpdd_enable="NO"
avahi_daemon_enable="YES"
dbus_enable="YES"
openbgpd_enable="YES"
unbound_enable="YES"
haproxy_enable="YES"
nginx_enable="YES"
# Loopback alias for public IP (needed for self-connection)
# ifconfig_lo0_alias0="inet 85.10.209.158/32"
 
LipkeGu said:
130.149.****.50190 > 10.10.0.2.5101: Flags
Click to expand...
You have a translation rule somewhere, that redirects an incoming connection on $ext_if to 10.10.0.2:5101. External firewall? Are you trying to do a double NAT (or redirection) here?
 
LipkeGu said:
nat on $ext_if from !($ext_if:network) to any -> ($ext_if)
Click to expand...
10.10.0.2 is the external interface.on the PF :)

Ah you mean the second the translation...

1778240530.835127 rule 0/0(match): rdr in on vtnet0: (tos 0x0, ttl 114, id 39150, offset 0, flags [none], proto TCP (6), length 52)
130.149.xxxxxx.59462 > 10.10.0.2.5101: Flags , cksum 0x5cc4 (correct), seq 3973524497, win 65535, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
1778240530.835130 rule 0/0(match): rdr in on vtnet0: (tos 0x0, ttl 114, id 39150, offset 0, flags [none], proto TCP (6), length 52)
130.149.xxxxxx.59462 > 10.232.128.100.3389: Flags , cksum 0xe233 (correct), seq 3973524497, win 65535, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
Click to expand...
 
rdr pass log on vtnet0 inet proto tcp from any to (vtnet0) port = 5101 -> 10.232.128.100 port 3389
[ Evaluations: 25633 Packets: 2 Bytes: 104 States: 1 ]
[ Source Nodes: 0 Limit: 0 NAT/RDR: 0 Route: 0 ]
[ Inserted: uid 0 pid 0 State Creations: 1 ]

It seems the problem is elsewhere =/
 
You must log in or register to reply here.
Back
Top