pf.conf rdr to internal interface

H

hac3ru

First of all: hello.

The requirement: I want to redirect all traffic from 172.23.15.0/24 to 172.23.1.1 for example. I tried
Code: 
rdr on $int_if from 172.23.15.1/24 to any port 80 -> 172.23.1.1 port 80 but it doesn't work.
I have read a bit about pf.conf and it seems that it cannot rdr on the same interface. What I am thinking now: an alias. Will using an alias as an interface work?

I am using an older version of FreeBSD (5.4). I know it's old and all that. I'm planning on upgrading to the latest FreeBSD version but I cannot afford to do that now because I am not allowed to bring the network down for a couple of hours.

So, thanks in advance and have a nice evening.
 
I am not well versed in pf archeology, but IIRC you still should pass or allow the redirected traffic. The redirection alone does not tell pf to allow or pass:

Code: 
rdr [color=blue]pass[/color] on $int_if from 172.23.15.1/24 to any port 80 -> 172.23.1.1 port 80
 
Code: 
21:09:50.458177 IP 172.23.1.7.64570 > 172.23.1.1.80: S 3706285212:3706285212(0) win 8192 <mss 1460,nop,nop,sackOK>
21:09:50.458789 IP 172.23.1.7.64570 > 172.23.1.1.80: R 3706285213:3706285213(0) win 0
That's what I get on the redirected machine if I try to access it from mine. I tried with rdr PASS quick but it's still the same thing. As far as I can see, it seems that the redirection is being done but there's something else stopping me from accessing the 172.23.1.1 (window size=0). If I try to access 1.1 directly from the web browser, it works. I have also tried
Code: 
pass quick from 172.23.1.7 to 172.23.1.1
pass quick from 172.23.1.1 to 172.23.1.7
Not working.

TCPDUMP from 172.23.0.1
Code: 
21:09:41.483146 IP 172.23.1.7.64570 > 172.23.0.1.8080: S 3706285212:3706285212(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
21:09:44.481232 IP 172.23.1.7.64570 > 172.23.0.1.8080: S 3706285212:3706285212(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
21:09:50.483609 IP 172.23.1.7.64570 > 172.23.0.1.8080: S 3706285212:3706285212(0) win 8192 <mss 1460,nop,nop,sackOK>
So it seems that 0.1 receives the packets but won't redirect them properly.
Any other ideas?
 
The server replies with a TCP RESET on receiving the first packet of the 3 way TCP handshake (SYN flag only). In "normal" cases this means that there is no program/daemon LISTENing on the that port.


Without more details, like the topology of your network, output of the relevant ifconfig, netstat -rn -f inet, netstat -an -f inet commands it is very difficult to diagnose what is going on.

Which port?
Which port is the server LISTENing on? Port 80 or 8080?
 
J65nko said:
The server replies with a TCP RESET on receiving the first packet of the 3 way TCP handshake (SYN flag only). In "normal" cases this means that there is no program/daemon LISTENing on the that port.


Without more details, like the topology of your network, output of the relevant ifconfig, netstat -rn -f inet, netstat -an -f inet commands it is very difficult to diagnose what is going on.

Which port?
Which port is the server LISTENing on? Port 80 or 8080?
Click to expand...

The server is listening on port 80. Star topology... Anyways. If you know any other way of redirecting traffic from 172.23.15.1/24 to 172.23.1.1 I`m all for it :)

As I said, if I try to access 172.23.1.1 directly it works. I can see the website correctly, so the apache service is running, on default port, 80...

If you need more details please tell me.
 
This is all I can figure out ....
Code: 
                                      webserver
                                     172.23.1.1/??
              |
              |
              |
+-------------|------------+
|      xxx.xxx.xxx.xxx/xx  | 
|                          |
|         FreeBSD 5.4      |
|           pf             |
|                          |
|        172.23.15.1/??    |
+-------------|------------+
              |
              |
              |
       +------|-----+
       |   switch   |
       +-|----------+ 
         |
         |
         |
         |
         |
         |
     workstation 
    172.23.1.7/??

Try to walk in our moccasins and fill in the missing details ;)
 
Code: 
               |      NET     |
               +--------------+
                      |
                      |
                      |
           +--------------------+
           |   FreeBSD Server   |
           |   IP:172.23.0.1    |
           +--------------------+
                       |
                       |
                       |
+---------------------------------------------------------+
|                    SWITCH                               |
|                                                         |
|                                                         |
|                                                         |
+--|------------|----------------|--------------|-------|-+
   |            |                |              |       |
   |            |                |              |       |
   |            |                |              |       |
{  |            |         WORKSTATIONS          |       |          }
{172.23.1.1/20 172.23.1.2/20  172.23.1.7/20   so on  172.23.15.254 }
{                                                                  }
172.23.1.1 is in network 172.23.0.0/20.
I want to redirect traffic from 172.23.15.0/24 to 172.23.1.1
 
hac3ru said:
Code: 
               |      NET     |
               +--------------+
                      |
                      |
                      |
           +--------------------+
           |   FreeBSD Server   |
           |   IP:172.23.0.1    |
           +--------------------+
                       |
                       |
                       |
+---------------------------------------------------------+
|                    SWITCH                               |
|                                                         |
|                                                         |
|                                                         |
+--|------------|----------------|--------------|-------|-+
   |            |                |              |       |
   |            |                |              |       |
   |            |                |              |       |
{  |            |         WORKSTATIONS          |       |          }
{172.23.1.1/20 172.23.1.2/20  172.23.1.7/20   so on  172.23.15.254 }
{                                                                  }
172.23.1.1 is in network 172.23.0.0/20.
I want to redirect traffic from 172.23.15.0/24 to 172.23.1.1
Click to expand...

172.23.0.0/20 is consisted from 172.23.0.0-172.23.15.255. If you are not separating them into different vlans then you can not do that because they all belong to the same network.
 
Ok then, I want to redirect 172.23.16.1/24 to 172.23.1.1... How can I do it?
Creating another subnet is not a problem.
 
Like gkontos stated. You need to either 1) separate the networks into vlans which are tied together by the firewall, 2) add specific route rules to the switch if its a managed switch, or 3) Add custom routing rules to your DHCP server to hand to the DHCP clients (if using DHCP). Apart from that, the switch will see the 172.23.15.0/24 as belonging to network 172.23.0.0/20 and route directly to the destination host bypassing any firewalls.
 
hac3ru said:
Ok then, I want to redirect 172.23.16.1/24 to 172.23.1.1... How can I do it?
Creating another subnet is not a problem.
Click to expand...

Are you trying to force http traffic over a transparent proxy?
 
Yes.
I just want it redirected....

What I want to do is, getting all workstations from 172.23.16.0/24 to get redirected to the main website which contains informations about network, our business, and so on... That`s why I need it.
I created another subnet (172.23.16.0/24 as I mentioned earlier) and now I guess I have to create a route from 172.23.16.0/24 to 172.23.0.0/20 ?

Latest Updates:

I created an alias with IP Address 172.23.16.1, mask 255.255.255.0
I added a static route to /etc/rc.conf
Code: 
route_internal="-inet 172.23.16.0/24 172.23.16.1"
I can access 172.23.0.0/20 for 10 minutes after i restart the FreeBSD Server. After that, it's all silenced. I can`t even ping from FreeBSD (172.23.16.1 alias) to workstation (172.23.16.238)... Why is this happening?

Later Edit:
I cannot even ping 172.23.16.255 (broadcast address of the 2nd subnet). Not from the FreeBSD server nor the workstations... What's happening with it?
I created the 2nd subnet by editing dhcpd.conf
Code: 
subnet 172.23.16.0 netmask 255.255.255.0
{
default-lease-time 600
option routers 172.23.16.1
option broadcast-address 172.23.16.255
option subnet-mask 255.255.255.0
option domain-name "internal_net"
allow unknown-clients
}
 
An alias must have /32 subnet mask.

The redirect should take place at the gateway. In your case it will lead to asymmetric routing because the machine you are trying to redirect to is aware of 172.23.0.0/20 thus it will reply back directly and not via the gateway.

A quick and dirty solution is to give that machine (webserver) an alias IP outside the scope of your network. That way you would force it to contact the gateway for all traffic.

Code: 
rdr pass on $int_if from 172.23.15.1/24 to any port 80 -> 192.168.0.1 port 80

Of course, you will need to add a static route to your gateway for 192.168.0.1

In any case, you should try implementing proper layer3 switching because your network will be impossible to troubleshoot.
 
There is one more possiblity. It's dirty but it works.

You can find in pf doc a section that explain how to redirect traffic with nc. Should do the trick.
 
kisscool-fr said:
There is one more possiblity. It's dirty but it works.

You can find in pf doc a section that explain how to redirect traffic with nc. Should do the trick.
Click to expand...

NC? I read the pf help page but couldn't see anything useful... ?

Not working to create a virtual network - 192.168.0.0/30 - and routing traffic from 172.23.16.0/24 to 192.168.0.2 (Webserver)

And I just figured out a major mistake... It won't be enough to redirect traffic to my web server. I need people to see the index on my server when they try to access the web...
 
You can add a third NIC to your FreeBSD pf firewall box. Connect the web server to this NIC.

Now you can redirect the traffic entering on the internal NIC to the web server. Now the return or answer packets from the web server will be sent out on the internal NIC back to your internal LAN.

That is how I would do it ;)

BTW this kind of setup is called a DMZ.
 
J65nko said:
You can add a third NIC to your FreeBSD pf firewall box. Connect the web server to this NIC.

Now you can redirect the traffic entering on the internal NIC to the web server. Now the return or answer packets from the web server will be sent out on the internal NIC back to your internal LAN.

That is how I would do it ;)

BTW this kind of setup is called a DMZ.
Click to expand...

I thought about that and that's probably how I'll do it eventually. Still, I said that it doesn't hurt to ask about redirecting through the firewall instead of adding another NIC. If I add another NIC to the FreeBSD, I'll configure it with an internal IP (192.168.10.1 for example), connect the webserver to it, with ip (192.168.10.2 let's say) and write a rule into pf.conf
Code: 
rdr on $int_if from 172.23.16.0/24 to any port 80 -> 192.168.10.2 port 80
and another rule to rdr the old ip of the webserver (172.23.1.1) because everyone knows about that, to 192.168.10.2 so if anyone tries to access the old ip, it'll get redirected to 192.168.10.2
Code: 
rdr on $int_if from 172.23.0.0/20 to 172.23.1.1 port auto -> 192.168.10.2 port auto
I have a ftp server on that, and more so I need to rdr from IPs original port to 192.168.10.2 original port.
I got that right? :)
 
Don't you think that it would be wiser to divide 3823 IPv4 addresses into smaller networks?

Don't you think that it would also be wiser to segregate those networks into zones?

  • Draw your network as it is now.
  • Plan your network as it should be, different divisions, outside / inside servers, VPN access points.
  • Get the necessary equipment and use LATEST stable OS versions.
  • Implement a vital and secure solution.

In your case, for a /20 network, I would not use less than 2 firewalls OR an internal switch with FW for distribution and an external FW.
 
hac3ru said:
NC? I read the pf help page but couldn't see anything useful... ?

Not working to create a virtual network - 192.168.0.0/30 - and routing traffic from 172.23.16.0/24 to 192.168.0.2 (Webserver)
Click to expand...

NC is for netcat. There is a chapter in the pf documentation page for redirection and reflection.

http://www.openbsd.org/faq/pf/rdr.html#reflect

hac3ru said:
And I just figured out a major mistake... It won't be enough to redirect traffic to my web server. I need people to see the index on my server when they try to access the web...
Click to expand...

And how are they supposed to access to the web ?

Do you have a proxy, do you have a captive portale ?
 
kisscool-fr said:
NC is for netcat. There is a chapter in the pf documentation page for redirection and reflection.

http://www.openbsd.org/faq/pf/rdr.html#reflect



And how are they supposed to access to the web ?

Do you have a proxy, do you have a captive portale ?
Click to expand...

Thank you for the link. // Edit: I have read that but, the server is running a very old FreeBSD version that doesn't support rdr-to and other solutions written in there...

They`re not supposed to access the web. That's the idea. When they try to access the web to see my page.

No, I don`t have a proxy.


I will divide my network when I'll change the OS. I want to update it but atm I cannot shut it down for 2 - 3 or more hours needed to install the new OS...
 
hac3ru said:
Thank you for the link. // Edit: I have read that but, the server is running a very old FreeBSD version that doesn't support rdr-to and other solutions written in there...

They`re not supposed to access the web. That's the idea. When they try to access the web to see my page.

No, I don`t have a proxy.


I will divide my network when I'll change the OS. I want to update it but atm I cannot shut it down for 2 - 3 or more hours needed to install the new OS...
Click to expand...

The documentation is for official OpenBSD pf. I posted the link just for the idea. You have to write pf rules accordingly to FreeBSD version. You can search the forum, the subject was already discussed here.
 
You must log in or register to reply here.
Back
Top