PF + SQUID FreeBSD (rdr)

P

pashos

so i want to redirect my server
1. FreeBSD (pf+squid) gateway
2. Server (win_server)

I want to connect to my win_server from www with rdp protol, I've create this rule on my pf

Code: 
rdr on $ext_if proto tcp from any to $ext_if port rdp -> $server
rdr on $ext_if proto {tcp, udp} from any to $ext_if port 3389 -> $server port 3389

pass in on $ext_if proto {tcp, udp} from any to $ext_if port 3389
pass out on $int_if proto {tcp, udp} from any to $server port 3389

but no connection:(
 
Try something like this

Code: 
pass in on $ext_if proto {tcp, udp} from any to [color="Red"]$server[/color] port 3389
pass out on $int_if proto {tcp, udp} from any to $server port 3389
 
Code: 
#===RDR_RDP_Radmin===
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $server port 338
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $server port 489

#====RDR_RDP_Radmin===
pass in on $ext_if proto {tcp, udp} from any to $server port 3389
pass out quick on $int_if inet proto {tcp, udp} from any to $server port 3389
pass in on $ext_if proto {tcp, udp} from any to $server port 4899
pass out quick on $int_if inet proto {tcp, udp} from any to $server port 4899


no connection
 
Code: 
#===RDR===
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $dns_srv port 3389
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $dns_srv port 4899

block in
block in quick from <bad_host>
antispoof quick for { lo0 $int_if } inet

#====RDR Allow===
pass in on $ext_if proto {tcp, udp} from any to $dns_srv port 3389
pass out quick on $int_if inet proto {tcp, udp} from any to $dns_srv port 3389
pass in on $ext_if proto {tcp, udp} from any to $dns_srv port 4899
pass out quick on $int_if inet proto {tcp, udp} from any to $dns_srv port 4899
 
pashos said:
Code: 
#===RDR===
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $server port 3389
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $server port 4899


#====RDR Allow===
pass in on $ext_if proto {tcp, udp} from any to $server port 3389
pass out quick on $int_if inet proto {tcp, udp} from any to $server port 3389
pass in on $ext_if proto {tcp, udp} from any to $server port 4899
pass out quick on $int_if inet proto {tcp, udp} from any to $server port 4899
Click to expand...

no connection:(
 
An entire pf.conf will help us to help you !!!

try this


pashos said:
Code: 
#===RDR===
rdr [color="Red"]pass[/color] on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $dns_srv port 3389
rdr [color="#ff0000"]pass[/color] on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $dns_srv port 4899

[color="Red"]#[/color]block in
[color="#ff0000"]#[/color]block in quick from <bad_host>
antispoof quick for { lo0 $int_if } inet

#====RDR Allow===
[color="#ff0000"]#[/color]pass in on $ext_if proto {tcp, udp} from any to $dns_srv port 3389
[color="#ff0000"]#[/color]pass out quick on $int_if inet proto {tcp, udp} from any to $dns_srv port 3389
[color="#ff0000"]#[/color]pass in on $ext_if proto {tcp, udp} from any to $dns_srv port 4899
[color="#ff0000"]#[/color]pass out quick on $int_if inet proto {tcp, udp} from any to $dns_srv port 4899
Click to expand...
 
Code: 
ext_if="re0"
int_if="vr0"
lan_net="192.168.1.0/24"
dns_srv="192.168.1.2"
#nat_ports="{5190, 21, 443, 563, 110}"
mail_users="{192.168.1.17, 192.168.1.24, 192.168.1.4, 192.168.1.5}"
mail_ports="{pop3, smtp, imap, pop3s, imaps}"
mail_srv="1.1.1.1"

table  <swat>    {192.168.1.0/24}
table  <bad_host> persist

set skip on { lo0 }
set block-policy return
set loginterface $ext_if
set optimization normal

scrub in

#====NAT====
nat on $ext_if inet from $mail_users to $mail_srv port $mail_ports -> ($ext_if:0)
nat on $ext_if inet from $int_if:network to any port {5190, 21, 110, 443, 25, 443, 563, 11} ->
nat on $ext_if proto {tcp, udp} from $dns_srv to any port 53 -> ($ext_if:0)
nat-anchor "ftp-proxy/*"

rdr-anchor "ftp-proxy/*"
rdr on $int_if inet proto tcp from $int_if:network to ! <swat> port www -> 127.0.0.1 port 8080
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#===RDR===
rdr pass on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $dns_srv port 3389
rdr pass on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $dns_srv port 4899

#block in
#block in quick from <bad_host>
antispoof quick for { lo0 $int_if } inet

#====RDR Allow===
#pass in on $ext_if proto {tcp, udp} from any to $ext_if port 3389
#pass out quick on $int_if inet proto {tcp, udp} from any to $ext_if port 3389
#pass in on $ext_if proto {tcp, udp} from any to $dns_srv port 4899
#pass out quick on $int_if inet proto {tcp, udp} from any to $dns_srv port 4899
#=====SSH=====
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 49151 keep state
pass in on $ext_if proto {tcp, udp} from any to self port 1723
pass in on $ext_if proto tcp from any to any port ssh \
     flags S/SA keep state \

no results -> no connection
 
Do you have any error if you check your rules with pfctl -vnf /etc/pf.conf
?

Don't have enough time to check your pf.conf but you should start with something simpler to see if it works and adjust your rules next

Code: 
ext_if="re0"
int_if="vr0"
lan_net="192.168.1.0/24"
dns_srv="192.168.1.2"
#nat_ports="{5190, 21, 443, 563, 110}"
mail_users="{192.168.1.17, 192.168.1.24, 192.168.1.4, 192.168.1.5}"
mail_ports="{pop3, smtp, imap, pop3s, imaps}"
mail_srv="1.1.1.1"

table  <swat>    {192.168.1.0/24}
table  <bad_host> persist

set skip on { lo0 }
set block-policy return
set loginterface $ext_if
set optimization normal

scrub in


nat on $ext_if from ! $ext_if -> $ext_if

rdr pass on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $dns_srv port 3389
rdr pass on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $dns_srv port 4899

block in on $ext_if
 
Hi,

Did you try to capture packets with tcpdump when you launch the connection ?
[cmd=]$ tcpdump -i pflog0 -nn -n -s0 -e port 3389 or port 4899[/cmd]

If you don't have the interface pflog0 :
[cmd=]$ kldload pflog[/cmd]

and verify with ifconfig.
 
hi i've cheked with pfctl -vnf /etc/pf.conf no errors
 

Attachments

  • screen.gif
    screen.gif
    14.7 KB · Views: 527
  • screen2.gif
    screen2.gif
    9.3 KB · Views: 499
[cmd=]pfctl -vnf /etc/pf.conf[/cmd]
no errors

Code: 
freebsd# tcpdump -i pflog0 -nn -n -s0 -e port 3389 or port 4899
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes

freebsd# kldload pflog
kldload: can't load pflog: File exists
freebsd#
 
You must log in or register to reply here.
Back
Top