I was hoping to get some help on my pf rules. Most of them seem to work perfectly, but I cannot get my rdr rules to work. They seem to be ignored.
I want to use ftp-proxy to allow ftp connections from behind the pf firewall. My test setup is a virtualbox FreeBSD install. My simple pf.conf:
em0 is the external NIC. There is no internal network in this test setup. Not sure if/why that would make a difference.
The results:
Install is FreeBSD 8.1 x86. Custom kernel to add altq.
I also want to setup squid as a web proxy, but I was starting with this.
Thanks for any ideas.
em0 = 192.168.5.7
That's the external IP on my real local network NAT'd behind a Netgear router.
I want to use ftp-proxy to allow ftp connections from behind the pf firewall. My test setup is a virtualbox FreeBSD install. My simple pf.conf:
Code:
set skip on lo0
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on em0 proto tcp from (em0) to any port 21 -> 127.0.0.1 port 8021
block log all
pass in quick inet proto tcp from any to any port { 8022, ssh }
pass out quick inet proto { tcp, udp } from any to any port domain
anchor "ftp-proxy/*"
pass out log inet proto tcp from 127.0.0.1 to any port ftp
em0 is the external NIC. There is no internal network in this test setup. Not sure if/why that would make a difference.
The results:
Code:
ftp -a ftp.freebsd.org
Trying 204.152.184.73...
ftp: connect to address 204.152.184.73: Operation not permitted
Trying 87.51.34.132...
ftp: connect to address 87.51.34.132: Operation not permitted
Trying 149.20.64.73...
ftp: connect to address 149.20.64.73: Operation not permitted
Trying 2001:4f8:0:2::e...
ftp: connect to address 2001:4f8:0:2::e: No route to host
Trying 2001:6c8:2:600::132...
ftp: connect: No route to host
ftp>
Code:
sudo tcpdump -n -e -ttt -i pflog0
Password:
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
00:00:00.000000 rule 0/0(match): block out on em0: 192.168.5.7.28869 > 204.152.184.73.21: [|tcp]
00:00:00.000516 rule 0/0(match): block out on em0: 192.168.5.7.63577 > 87.51.34.132.21: [|tcp]
00:00:00.000186 rule 0/0(match): block out on em0: 192.168.5.7.11177 > 149.20.64.73.21: tcp 40 [bad hdr length 0 - too short, < 20]
00:00:14.489828 rule 0/0(match): block in on em0: 192.168.5.3.2190 > 192.168.5.15.2190: UDP, length 153
Install is FreeBSD 8.1 x86. Custom kernel to add altq.
I also want to setup squid as a web proxy, but I was starting with this.
Thanks for any ideas.
em0 = 192.168.5.7
That's the external IP on my real local network NAT'd behind a Netgear router.