PF 'rdr pass' to jail ip opens many random ports

In FreeBSD 10.3 the following pf.conf opens many seemingly random ports. nmap -Pn x.x.x.x shows each time different amount of open ports: 265, 115, etc. When the rdr pass ... line is commented out, then nmap shows no additional open ports.

Code:
ext_if="re0"
ext_ip="x.x.x.x"
jail_if="lo1"
web_ports="{ 80, 443 }"
sshd_port=6543
jail_http="192.168.10.28"

nat pass on $ext_if from $jail_if:network to any -> $ext_ip
rdr pass log on $ext_if proto tcp from any to $ext_ip port $web_ports -> $jail_http

block log all
pass quick log proto tcp from any to $ext_ip port $sshd_port keep state
How should I fix the rdr pass ... line?
 
Remove the pass from the rdr line and create a separate pass rule.

Code:
rdr on $ext_if proto tcp from any to $ext_ip port $web_ports -> $jail_http

pass in on $ext_if proto tcp from any to $jail_http port $web_ports

Note that NAT (and thus redirections) happen before the rules are evaluated. So you need to use the redirected destination.
 
No luck with suggested modifications. With pf.conf
Code:
ext_if="re0"
ext_ip="x.x.x.x"
jail_if="lo1"
web_ports="{ 80, 443 }"

sshd_port=6543
jail_http="192.168.10.28"

nat pass on $ext_if from $jail_if:network to any -> $ext_ip
rdr on $ext_if proto tcp from any to $ext_ip port $web_ports -> $jail_http

block log all
pass quick log proto tcp from any to $ext_ip port $sshd_port keep state
pass in on $ext_if proto tcp from any to $jail_http port $web_ports
nmap still shows many opened ports. Number of filtered ports changes over different nmap invocations: 949, 966, 463
 
I'd remove the pass from the NAT too. And also use an explicit pass rule for it.
 
When I comment the nat line out, then many ports are still open. Culprits seem to be the rdr line with accompanying pass line. Any more suggestions?
 
Clear any previous rules; pfctl -F all -f /etc/pf.conf. I'm betting you're looking at old states (those aren't cleared when reloading the rules).
 
Previous rules clearing does not help. With nat line commented out there are still too many ports open.
 
Please post the output of the nmap scan. I have a feeling you're misinterpreting the results. Either that or you're not showing the whole pf.conf. The rules you posted only have ports 6543, 80 and 443 open.
 
Back
Top