Solved rdr not passing

fullauto2012

fullauto2012

Trying to rdr the traffic for /usr/audio/teamspeak3 (every port in $services after 80) to 192.168.1.10 (kif)... I see the traffic pass into the firewall on my external interfact (em0), but get no traffic on kif using tcpdump and the connection always errors out...

Code: 
root@gateway:/usr/home/tim.falardeau # tcpdump -n -e -ttt -q -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
00:00:00.000000 rule 0..16777216/0(match): block in on em0: 70.166.151.80.62407 > (exterior ip).63004: UDP, length 96
00:00:06.436085 rule 0..16777216/0(match): block in on em0: 10.1.240.1.67 > 255.255.255.255.68: UDP, length 365
00:00:02.005694 rule 0..16777216/0(match): block in on em0: 10.1.240.1.67 > 255.255.255.255.68: UDP, length 365
00:00:04.056724 rule 3..16777216/0(match): block in on em0: 123.151.42.61.9061 > (exterior ip).1701: UDP, length 107
00:00:04.689592 rule 10..16777216/0(match): pass in on em0: x.x.x.x.57845 > x.x.x.x.9987: UDP, length 34
00:00:16.183314 rule 0..16777216/0(match): block in on em0: (exterior ip).138 > 68.15.62.127.138: UDP, length 227
00:00:00.000024 rule 0..16777216/0(match): block in on em0: (exterior ip).138 > 68.15.62.127.138: UDP, length 208
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel

Code: 
root@gateway:/usr/home/tim.falardeau # cat /root/firewall.d/pf.conf
############ Global Options #######################
ext_if="em0"
int_if="em1"
set block-policy return
set loginterface $ext_if
set skip on lo
set skip on $int_if

services="{ 80, 9987, 30033, 10011, 41144 } "
icmp_types="echoreq"
localnet="192.168.1.0/24"
ext_ip="x.x.x.x"
int_ip="192.168.1.1"
kif="192.168.1.10"
trusted_ips="{ x.x.x.x }"

table <us.blocks> persist file  "/root/firewall.d/us.blocks"
table <aliens> persist file "/root/firewall.d/aliens.blocks"
table <bruteforce> persist file "/root/firewall.d/bruteforce"
table <trusted.ips> persist file "/root/firewall.d/trusted.ips"
table <authpf_users> persist

################ End Global Options ################

########### Traffic Normalization ##################

scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all fragment reassemble

####################################################


####### NAT RULE GOES BEFORE ALL FILTERS ! ! #######

nat on $ext_if from $localnet to any -> ($ext_if)

####################################################

## REDIRECT RULES AFTER NAT AND BEFORE FILTERS !! ##

rdr on $ext_if inet proto tcp from any to $ext_ip port $services -> $kif
rdr-anchor "authpf/*" from <authpf_users>

####################################################

################## Filters #########################

block in log all

pass in quick on $ext_if inet proto tcp from $trusted_ips to any flags any

block drop log quick inet from <bruteforce>
block drop log quick on $ext_if inet from $localnet to <aliens>
block drop in log quick on $ext_if inet from <aliens> to $ext_ip
block drop in log quick on $ext_if inet from ! <us.blocks> to $ext_ip

pass in log quick on $ext_if inet proto tcp from any \
  to { $ext_ip, $localnet } port 22 \
  flags S/SA keep state \
  (max-src-conn 5, max-src-conn-rate 3/9, \
  overload <bruteforce> flush global)

pass in log on $ext_if inet proto {udp, tcp} from any to {self} port $services
pass out log on $ext_if inet proto {udp, tcp} from any to $localnet port $services
pass in log on $int_if inet proto {udp, tcp} from any to $localnet port $services
pass out log on $int_if inet proto {udp, tcp} from any to $localnet port $services

anchor "authpf/*" from <authpf_users>


####################################################
################### <END OF FILE> ##################
####################################################
 
Last edited:
You need to take into account that NAT and redirections happen before any rules are evaluated. So if you redirect, for example, port 80 to 192.168.10.10, you will need to create a rule that allows traffic from any to 192.168.10.10. Even though the connection itself actually connects to the IP address of the FreeBSD host, the destination address is translated to 192.168.10.10 before the rules are evaluated.

So this one:
Code: 
pass in log on $ext_if inet proto {udp, tcp} from any to {self} port $services
Needs to be changed to:
Code: 
pass in log on $ext_if inet proto {udp, tcp} from any to $kif port $services

This rule doesn't make sense:
Code: 
pass out log on $ext_if inet proto {udp, tcp} from any to $localnet port $services
You will never have outgoing traffic on $ext_if with a destination address in $localnet. That would actually be bad, so remove it.
 
Still having same problem...
Code: 
root@gateway:/usr/home/tim.falardeau # cat /root/firewall.d/pf.conf
############ Global Options #######################
ext_if="em0"
int_if="em1"

set block-policy return
set loginterface $ext_if
set skip on lo

services="{ 80, 9987, 30033, 10011, 41144 }"
icmp_types="echoreq"
localnet="192.168.1.0/24"
ext_ip="(exterior ip)"
int_ip="192.168.1.1"
kif="192.168.1.10"
trusted_ips="{ x.x.x.x }"

table <us.blocks> persist file  "/root/firewall.d/us.blocks"
table <aliens> persist file "/root/firewall.d/aliens.blocks"
table <bruteforce> persist file "/root/firewall.d/bruteforce"
table <asshole.ips> persist file "/root/firewall.d/asshole.ips"
table <trusted.ips> persist file "/root/firewall.d/trusted.ips"
table <authpf_users> persist

################ End Global Options ################

########### Traffic Normalization ##################

scrub in on $ext_if all fragment reassemble

####################################################


####### NAT RULE GOES BEFORE ALL FILTERS ! ! #######

nat on $ext_if from $localnet to any -> ($ext_if)

####################################################

## REDIRECT RULES AFTER NAT AND BEFORE FILTERS !! ##

rdr pass on $ext_if inet proto tcp from any \
  to {self, $localnet} port $services -> $kif
rdr-anchor "authpf/*" from <authpf_users>

####################################################

################## Filters #########################

block in log all


#pass log quick on $ext_if inet proto {tcp, udp} from $trusted_ips to any flags any

block drop log quick inet from <bruteforce>
block drop log quick on $ext_if inet from $localnet to <aliens>
block drop in log quick on $ext_if inet from <aliens> to $ext_ip
block drop in log quick on $ext_if inet from ! <us.blocks> to $ext_ip
block drop in log quick on $ext_if inet from <asshole.ips> to $ext_ip

pass in log quick on $ext_if inet proto tcp from any \
  to { $ext_ip, $localnet } port 22 \
  flags S/SA keep state \
  (max-src-conn 5, max-src-conn-rate 3/9, \
  overload <bruteforce> flush global)

pass in log on $ext_if inet proto {udp, tcp} from any \
  to {self, $kif} port $services
pass out log on $ext_if inet proto {udp, tcp} from {lo0, $localnet} to any

pass on $int_if

anchor "authpf/*" from <authpf_users>


####################################################
################### <END OF FILE> ##################
####################################################

I'm see the following traffic on my external interfact (em0)
Code: 
root@gateway:/usr/home/tim.falardeau # tcpdump -n -e -ttt port 9987
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
00:00:00.000000 60:73:5c:72:a9:da > 00:22:4d:b5:ef:09, ethertype IPv4 (0x0800), length 76: (remote ip).50125 > (exterior ip).9987: UDP, length 34
00:00:00.006221 60:73:5c:72:a9:da > 00:22:4d:b5:ef:09, ethertype IPv4 (0x0800), length 218: (remote ip).50125 > (exterior ip).9987: UDP, length 176
00:00:00.562811 60:73:5c:72:a9:da > 00:22:4d:b5:ef:09, ethertype IPv4 (0x0800), length 76: (remote ip).50125 > (exterior ip).9987: UDP, length 34
00:00:00.006524 60:73:5c:72:a9:da > 00:22:4d:b5:ef:09, ethertype IPv4 (0x0800), length 218: (remote ip).50125 > (exterior ip).9987: UDP, length 176
00:00:00.698730 60:73:5c:72:a9:da > 00:22:4d:b5:ef:09, ethertype IPv4 (0x0800), length 76: (remote ip).50125 > (exterior ip).9987: UDP, length 34
00:00:00.000027 60:73:5c:72:a9:da > 00:22:4d:b5:ef:09, ethertype IPv4 (0x0800), length 218: (remote ip).50125 > (exterior ip).9987: UDP, length 176
00:00:01.008258 60:73:5c:72:a9:da > 00:22:4d:b5:ef:09, ethertype IPv4 (0x0800), length 76: (remote ip).50125 > (exterior ip).9987: UDP, length 34
00:00:00.000028 60:73:5c:72:a9:da > 00:22:4d:b5:ef:09, ethertype IPv4 (0x0800), length 218: (remote ip).50125 > (exterior ip).9987: UDP, length 176
00:00:01.309813 60:73:5c:72:a9:da > 00:22:4d:b5:ef:09, ethertype IPv4 (0x0800), length 76: (remote ip).50125 > (exterior ip).9987: UDP, length 34
00:00:00.100845 60:73:5c:72:a9:da > 00:22:4d:b5:ef:09, ethertype IPv4 (0x0800), length 218: (remote ip).50125 > (exterior ip).9987: UDP, length 176
^C
10 packets captured
9805 packets received by filter
0 packets dropped by kernel

No traffic at all on my internal interface or the server Kif (192.168.1.10)
Code: 
root@gateway:/usr/home/tim.falardeau # tcpdump -n -e -ttt -i em1 port 9987
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
1468 packets received by filter
0 packets dropped by kernel

I got curious and started the apache server to make sure I wasn't going crazy...
traffic redirected fine through port 80...

Made sure the port was being listened to also...
Code: 
root@kif:/usr/local/etc # netstat -an | grep 9987
udp4  0  0 *.9987  *.*
 
Found it... I feel a bit dumb. But, at least it's solved... I find more often than not I get stuck on the minutia, and not the larger schema...
On the rdr line I forgot to pass both udp and tcp to kif...

Code: 
## REDIRECT RULES AFTER NAT AND BEFORE FILTERS !! ##

rdr pass on $ext_if inet proto tcp from any \
  to {self, $localnet} port $services -> $kif
rdr-anchor "authpf/*" from <authpf_users>
 
You must log in or register to reply here.
Back
Top