Solved Port forwarding and filtering rules

I am trying to understanding how port forwarding and the filtering rules work together. I set up a web server which listened to port 3000 for https and port 3001 for http so that I could avoid running it as root. I then added redirection rules to PF which forwarded the packets from port 80/443 to port 3001/3000. And it worked fine. I could connect to my web server without any issues.

But the problem was I didn't add any filtering rules that allow access to port 80, 443, 3000 or 3001 (Please see the attached PF configurations). It seemed to me that the redirection rules bypass the filtering rules. Is that true? I tried to look for answers in either FreeBSD's or OpenBSD's handbook of PF but could not find any answer to it. I would like to have a better understanding on what's happening under the hood.

Code:
tcp_services = "{ssh, mysql}"

ext_inf0 = "em0"
web_ip = "192.168.1.251"

rdr pass on $ext_inf0 proto tcp from any to $web_ip port www -> $web_ip port 3001
rdr pass on $ext_inf0 proto tcp from any to $web_ip port https -> $web_ip port 3000

block in all
pass out all keep state
pass in quick on lo0 all
pass in log on $ext_inf0 proto tcp from any to any port $tcp_services keep state
 
I actually figured this out. My bad that I didn't go through pf.conf() carefully enough. The pass modifier actually made pf skipped the filter rules.
 
Back
Top