PF 'rdr pass' to jail ip opens many random ports

[w82]

In FreeBSD 10.3 the following pf.conf opens many seemingly random ports. nmap -Pn x.x.x.x shows each time different amount of open ports: 265, 115, etc. When the rdr pass ... line is commented out, then nmap shows no additional open ports.

ext_if="re0"
ext_ip="x.x.x.x"
jail_if="lo1"
web_ports="{ 80, 443 }"
sshd_port=6543
jail_http="192.168.10.28"

nat pass on $ext_if from $jail_if:network to any -> $ext_ip
rdr pass log on $ext_if proto tcp from any to $ext_ip port $web_ports -> $jail_http

block log all
pass quick log proto tcp from any to $ext_ip port $sshd_port keep state

How should I fix the rdr pass ... line?

 

[SirDice]

Remove the pass from the rdr line and create a separate pass rule.

rdr on $ext_if proto tcp from any to $ext_ip port $web_ports -> $jail_http

pass in on $ext_if proto tcp from any to $jail_http port $web_ports

Note that NAT (and thus redirections) happen before the rules are evaluated. So you need to use the redirected destination.

 

[w82]

No luck with suggested modifications. With pf.conf

ext_if="re0"
ext_ip="x.x.x.x"
jail_if="lo1"
web_ports="{ 80, 443 }"

sshd_port=6543
jail_http="192.168.10.28"

nat pass on $ext_if from $jail_if:network to any -> $ext_ip
rdr on $ext_if proto tcp from any to $ext_ip port $web_ports -> $jail_http

block log all
pass quick log proto tcp from any to $ext_ip port $sshd_port keep state
pass in on $ext_if proto tcp from any to $jail_http port $web_ports

nmap still shows many opened ports. Number of filtered ports changes over different nmap invocations: 949, 966, 463

 

[SirDice]

I'd remove the pass from the NAT too. And also use an explicit pass rule for it.

 

[w82]

When I comment the nat line out, then many ports are still open. Culprits seem to be the rdr line with accompanying pass line. Any more suggestions?

 

[SirDice]

Clear any previous rules; pfctl -F all -f /etc/pf.conf. I'm betting you're looking at old states (those aren't cleared when reloading the rules).

 

[w82]

Previous rules clearing does not help. With nat line commented out there are still too many ports open.

 

[SirDice]

Please post the output of the nmap scan. I have a feeling you're misinterpreting the results. Either that or you're not showing the whole pf.conf. The rules you posted only have ports 6543, 80 and 443 open.