Remote Desktop Connection Problem

Z

ziway

Hi All:

I try to setup a network environment as follwing topology.

http://picasaweb.google.com.tw/ziway.net/ImageHosting#5480213481267166610

My purpose:

1. Let specific users are in the private network can access internet via NAT.
2. Let users can remote control specific PCs in the private network from internet through MS Remote Desktop.

pf.conf:
Code: 
LAB_IF="age0"
MOD_IF="tun0"

table <Brian> persist file "/etc/pf/Brian"
table <Fred> persist file "/etc/pf/Fred"
table <Iris> persist file "/etc/pf/Iris"
table <Jack> persist file "/etc/pf/Jack"
table <Joe> persist file "/etc/pf/Joe"
table <Juice> persist file "/etc/pf/Juice"
table <Rick> persist file "/etc/pf/Rick"
table <Zhiyu> persist file "/etc/pf/Zhiyu"
table <TestBed2-3> persist file "/etc/pf/TestBed2-3"

set skip on lo

scrub in all

rdr pass on $MOD_IF proto tcp from any to any port 43021 -> 10.100.43.21 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43022 -> 10.100.43.22 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43023 -> 10.100.43.23 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43024 -> 10.100.43.24 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43025 -> 10.100.43.25 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43026 -> 10.100.43.26 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43027 -> 10.100.43.27 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43028 -> 10.100.43.28 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43029 -> 10.100.43.29 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43030 -> 10.100.43.30 port 3389


nat on $MOD_IF from 10.100.43.0/24 to any -> $MOD_IF
nat on $MOD_IF from 10.100.41.0/24 to any -> $MOD_IF


antispoof log for $LAB_IF inet 

block in log on $LAB_IF all 
pass in log quick on $LAB_IF from <Brian> to any keep state
pass in log quick on $LAB_IF from <Fred> to any keep state
pass in log quick on $LAB_IF from <Iris> to any keep state
pass in log quick on $LAB_IF from <Jack> to any keep state
pass in log quick on $LAB_IF from <Joe> to any keep state
pass in log quick on $LAB_IF from <Rick> to any keep state
pass in log quick on $LAB_IF from <Zhiyu> to any keep state
pass in log quick on $LAB_IF from <TestBed2-3> to any keep state
pass in log quick on $LAB_IF from <Juice> to any keep state

Routing table:
Code: 
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            168.95.98.254      UGS         0   131225   tun0
10.100.41.0/24     link#1             U           0    12189   age0
10.100.41.59       link#1             UHS         0        0    lo0
10.100.43.0/24     link#1             U           1    57252   age0
10.100.43.136      link#1             UHS         0        0    lo0

ifconfig:
Code: 
age0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500     
options=319b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MCAST,WOL_MAGIC>
        ether 00:22:15:4b:f2:42
        inet 10.100.43.136 netmask 0xffffff00 broadcast 10.100.43.255
        inet 10.100.41.59 netmask 0xffffff00 broadcast 10.100.41.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
        ether 00:21:91:7a:a3:de
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
        inet 118.169.36.149 --> 168.95.98.254 netmask 0xffffffff
        Opened by PID 773

Now the first propose is ok, but the second is not.
Would you please help me to check the pf.conf?
 
Do NOT allow direct access over RDP to your machines. You will be in a world of hurt. You will get hacked this way.
 
Hi SirDice:

Thanks for your reply.
I understand that you mentioned is for security.
In order to easy to use, so I just changed the default RDP port, and configured rdr for each PC as following.

Code: 
rdr pass on $MOD_IF proto tcp from any to any port 43021 -> 10.100.43.21 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43022 -> 10.100.43.22 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43023 -> 10.100.43.23 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43024 -> 10.100.43.24 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43025 -> 10.100.43.25 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43026 -> 10.100.43.26 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43027 -> 10.100.43.27 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43028 -> 10.100.43.28 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43029 -> 10.100.43.29 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 43030 -> 10.100.43.30 port 3389

According to my 'pf.conf', is there any problem?
Thank you very much.
 
Split your rdr and pass rules. Make the pass rules 'keep state'.
 
Hi SirDice:

As following is my 'pf.conf'.
Code: 
LAB_IF="age0"
MOD_IF="tun0"

table <Brian> persist file "/etc/pf/Brian"
table <Fred> persist file "/etc/pf/Fred"
table <Iris> persist file "/etc/pf/Iris"
table <Jack> persist file "/etc/pf/Jack"
table <Joe> persist file "/etc/pf/Joe"
table <Juice> persist file "/etc/pf/Juice"
table <Rick> persist file "/etc/pf/Rick"
table <Zhiyu> persist file "/etc/pf/Zhiyu"
table <TestBed2-3> persist file "/etc/pf/TestBed2-3"

set loginterface $LAB_IF
set skip on lo

scrub in all

rdr pass on $MOD_IF proto tcp from any to $MOD_IF/32 port 4321 -> 10.100.43.21 port 3389
rdr pass on $MOD_IF proto tcp from any to $MOD_IF/32 port 4322 -> 10.100.43.22 port 3389
rdr pass on $MOD_IF proto tcp from any to $MOD_IF/32 port 4323 -> 10.100.43.23 port 3389
rdr pass on $MOD_IF proto tcp from any to $MOD_IF/32 port 4324 -> 10.100.43.24 port 3389
rdr pass on $MOD_IF proto tcp from any to $MOD_IF/32 port 4325 -> 10.100.43.25 port 3389
rdr pass on $MOD_IF proto tcp from any to $MOD_IF/32 port 4326 -> 10.100.43.26 port 3389
rdr pass on $MOD_IF proto tcp from any to $MOD_IF/32 port 4327 -> 10.100.43.27 port 3389
rdr pass on $MOD_IF proto tcp from any to $MOD_IF/32 port 4328 -> 10.100.43.28 port 3389
rdr pass on $MOD_IF proto tcp from any to $MOD_IF/32 port 4329 -> 10.100.43.29 port 3389
rdr pass on $MOD_IF proto tcp from any to $MOD_IF/32 port 4330 -> 10.100.43.30 port 3389

nat on $MOD_IF from 10.100.43.0/24 to any -> $MOD_IF
nat on $MOD_IF from 10.100.41.0/24 to any -> $MOD_IF

antispoof log for $LAB_IF inet 

block in log on $LAB_IF all 
pass in quick on $LAB_IF from <Brian> to any keep state
pass in quick on $LAB_IF from <Fred> to any keep state
pass in quick on $LAB_IF from <Iris> to any keep state
pass in quick on $LAB_IF from <Jack> to any keep state
pass in quick on $LAB_IF from <Joe> to any keep state
pass in quick on $LAB_IF from <Rick> to any keep state
pass in quick on $LAB_IF from <Zhiyu> to any keep state
pass in quick on $LAB_IF from <TestBed2-3> to any keep state
pass in quick on $LAB_IF from <Juice> to any keep state

And following is the 'pflog'.
Code: 
00:00:00.655967 rule 4/0(match): block in on age0: 10.100.43.27.3389 > 140.126.143.237.2615: Flags [S.], seq 673308772, ack 2873124603, win 16384, options [mss 1460,nop,nop,sackOK], length 0
00:00:01.762975 rule 4/0(match): block in on age0: 10.100.43.27.3389 > 140.126.143.237.2615: Flags [S.], seq 673308772, ack 2873124603, win 16384, options [mss 1460,nop,nop,sackOK], length 0
00:00:03.898631 rule 4/0(match): block in on age0: 10.100.43.27.3389 > 140.126.143.237.2615: Flags [S.], seq 673308772, ack 2873124603, win 16384, options [mss 1460,nop,nop,sackOK], length 0
00:00:03.100560 rule 4/0(match): block in on age0: 10.100.43.27.3389 > 140.126.143.237.2616: Flags [S.], seq 42859262, ack 1616990338, win 16384, options [mss 1460,nop,nop,sackOK], length 0
00:00:03.840817 rule 4/0(match): block in on age0: 10.100.43.27.3389 > 140.126.143.237.2616: Flags [S.], seq 42859262, ack 1616990338, win 16384, options [mss 1460,nop,nop,sackOK], length 0
00:00:06.875028 rule 4/0(match): block in on age0: 10.100.43.27.3389 > 140.126.143.237.2616: Flags [S.], seq 42859262, ack 1616990338, win 16384, options [mss 1460,nop,nop,sackOK], length 0

It is still not ok.
Sorry, I am not sure I understand what you mean.
Thanks for your reply.
 
Split them up.

Code: 
rdr on $ext_if proto tcp from any to any port 4321 -> $someip port 3389

pass in on $ext_if from any to any port 3389 keep state
 
It is worked properly with following configuration.

Code: 
LAB_IF="age0"
MOD_IF="tun0"

table <Brian> persist file "/etc/pf/Brian"
table <Fred> persist file "/etc/pf/Fred"
table <Iris> persist file "/etc/pf/Iris"
table <Jack> persist file "/etc/pf/Jack"
table <Joe> persist file "/etc/pf/Joe"
table <Juice> persist file "/etc/pf/Juice"
table <Rick> persist file "/etc/pf/Rick"
table <Zhiyu> persist file "/etc/pf/Zhiyu"
table <TestBed2-3> persist file "/etc/pf/TestBed2-3"

set loginterface $LAB_IF
set skip on lo

scrub in all

rdr pass on $MOD_IF proto tcp from any to any port 4321 -> 10.100.43.21 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4322 -> 10.100.43.22 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4323 -> 10.100.43.23 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4324 -> 10.100.43.24 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4325 -> 10.100.43.25 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4326 -> 10.100.43.26 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4327 -> 10.100.43.27 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4328 -> 10.100.43.28 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4329 -> 10.100.43.29 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4330 -> 10.100.43.30 port 3389

nat on $MOD_IF from 10.100.43.0/24 to any -> $MOD_IF
nat on $MOD_IF from 10.100.41.0/24 to any -> $MOD_IF

antispoof log for $LAB_IF inet

block in log on $LAB_IF all
pass in quick on $LAB_IF from <Brian> to any keep state
pass in quick on $LAB_IF from <Fred> to any keep state
pass in quick on $LAB_IF from <Iris> to any keep state
pass in quick on $LAB_IF from <Jack> to any keep state
pass in quick on $LAB_IF from <Joe> to any keep state
pass in quick on $LAB_IF from <Rick> to any keep state
pass in quick on $LAB_IF from <Zhiyu> to any keep state
pass in quick on $LAB_IF from <TestBed2-3> to any keep state
pass in quick on $LAB_IF from <Juice> to any keep state
pass in quick on $LAB_IF proto tcp from <Brian> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Fred> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Iris> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Jack> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Joe> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Rick> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Zhiyu> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <TestBed2-3> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Juice> port 3389 to any flags S/S keep state

I just added following rule to let this kind of packets, "Flags [S.]", pass.
Code: 
pass in quick on $LAB_IF proto tcp from <Brian> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Fred> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Iris> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Jack> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Joe> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Rick> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Zhiyu> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <TestBed2-3> port 3389 to any flags S/S keep state
pass in quick on $LAB_IF proto tcp from <Juice> port 3389 to any flags S/S keep state
 
You appear not to have 'pass out' rules to the '10.100' network. The 'rdr pass' only takes care of the incoming connection (which is automatically stateful, because 'rdr' rules always are). So for any 'rdr pass' or 'rdr + pass in' rule (same thing) you will also need a 'pass out' rule to the rest of your network. Defining 'keep state' and 'flags' is no longer necessary in recent versions of PF, but IF you define flags, 'S/SA' is the one to use.

So:

Code: 
rdr pass on $MOD_IF proto tcp from any to $MOD_IF/32 port 4321 -> 10.100.43.21 port 3389
...
pass out on $some_if proto tcp from any to 10.100.43.21 port 3389

should work.
 
Hi DutchDaemon:

Yes, you are correct!
It is worked properly with following configuration too.

Code: 
LAB_IF="age0"
MOD_IF="tun0"

table <Brian> persist file "/etc/pf/Brian"
table <Fred> persist file "/etc/pf/Fred"
table <Iris> persist file "/etc/pf/Iris"
table <Jack> persist file "/etc/pf/Jack"
table <Joe> persist file "/etc/pf/Joe"
table <Juice> persist file "/etc/pf/Juice"
table <Rick> persist file "/etc/pf/Rick"
table <Zhiyu> persist file "/etc/pf/Zhiyu"
table <TestBed2-3> persist file "/etc/pf/TestBed2-3"

set loginterface $LAB_IF
set skip on lo

scrub in all

rdr pass on $MOD_IF proto tcp from any to any port 4301 -> 10.100.43.1 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4302 -> 10.100.43.2 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4303 -> 10.100.43.3 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4304 -> 10.100.43.4 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4305 -> 10.100.43.5 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4306 -> 10.100.43.6 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4307 -> 10.100.43.7 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4308 -> 10.100.43.8 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4309 -> 10.100.43.9 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4310 -> 10.100.43.10 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4311 -> 10.100.43.11 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4312 -> 10.100.43.12 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4313 -> 10.100.43.13 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4314 -> 10.100.43.14 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4315 -> 10.100.43.15 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4316 -> 10.100.43.16 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4317 -> 10.100.43.17 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4318 -> 10.100.43.18 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4319 -> 10.100.43.19 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4320 -> 10.100.43.20 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4321 -> 10.100.43.21 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4322 -> 10.100.43.22 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4323 -> 10.100.43.23 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4324 -> 10.100.43.24 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4325 -> 10.100.43.25 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4326 -> 10.100.43.26 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4327 -> 10.100.43.27 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4328 -> 10.100.43.28 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4329 -> 10.100.43.29 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4330 -> 10.100.43.30 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4331 -> 10.100.43.31 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4332 -> 10.100.43.32 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4333 -> 10.100.43.33 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4334 -> 10.100.43.34 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4335 -> 10.100.43.35 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4336 -> 10.100.43.36 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4337 -> 10.100.43.37 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4338 -> 10.100.43.38 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4339 -> 10.100.43.39 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4340 -> 10.100.43.40 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4341 -> 10.100.43.41 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4342 -> 10.100.43.42 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4343 -> 10.100.43.43 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4344 -> 10.100.43.44 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4345 -> 10.100.43.45 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4346 -> 10.100.43.46 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4347 -> 10.100.43.47 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4348 -> 10.100.43.48 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4349 -> 10.100.43.49 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4350 -> 10.100.43.50 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4351 -> 10.100.43.51 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4352 -> 10.100.43.52 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4353 -> 10.100.43.53 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4354 -> 10.100.43.54 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4355 -> 10.100.43.55 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4356 -> 10.100.43.56 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4357 -> 10.100.43.57 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4358 -> 10.100.43.58 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4359 -> 10.100.43.59 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4360 -> 10.100.43.60 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4361 -> 10.100.43.61 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4362 -> 10.100.43.62 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4363 -> 10.100.43.63 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4364 -> 10.100.43.64 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4365 -> 10.100.43.65 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4366 -> 10.100.43.66 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4367 -> 10.100.43.67 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4368 -> 10.100.43.68 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4369 -> 10.100.43.69 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4370 -> 10.100.43.70 port 3389

rdr pass on $MOD_IF proto tcp from any to any port 4141 -> 10.100.41.41 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4142 -> 10.100.41.42 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4143 -> 10.100.41.43 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4144 -> 10.100.41.44 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4145 -> 10.100.41.45 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4146 -> 10.100.41.46 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4147 -> 10.100.41.47 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4148 -> 10.100.41.48 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4149 -> 10.100.41.49 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4150 -> 10.100.41.50 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4151 -> 10.100.41.51 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4152 -> 10.100.41.52 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4153 -> 10.100.41.53 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4154 -> 10.100.41.54 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4155 -> 10.100.41.55 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4156 -> 10.100.41.56 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4157 -> 10.100.41.57 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4158 -> 10.100.41.58 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4159 -> 10.100.41.59 port 3389
rdr pass on $MOD_IF proto tcp from any to any port 4160 -> 10.100.41.60 port 3389

nat on $MOD_IF from 10.100.43.0/24 to any -> $MOD_IF
nat on $MOD_IF from 10.100.41.0/24 to any -> $MOD_IF

antispoof log for $LAB_IF inet

block in log on $LAB_IF all
pass in quick on $LAB_IF from <Brian> to any keep state
pass in quick on $LAB_IF from <Fred> to any keep state
pass in quick on $LAB_IF from <Iris> to any keep state
pass in quick on $LAB_IF from <Jack> to any keep state
pass in quick on $LAB_IF from <Joe> to any keep state
pass in quick on $LAB_IF from <Rick> to any keep state
pass in quick on $LAB_IF from <Zhiyu> to any keep state
pass in quick on $LAB_IF from <TestBed2-3> to any keep state
pass in quick on $LAB_IF from <Juice> to any keep state

pass out quick on $LAB_IF proto tcp from any to  <Brian> port 3389
pass out quick on $LAB_IF proto tcp from any to <Fred> port 3389
pass out quick on $LAB_IF proto tcp from any to <Iris> port 3389
pass out quick on $LAB_IF proto tcp from any to <Jack> port 3389
pass out quick on $LAB_IF proto tcp from any to <Joe> port 3389
pass out quick on $LAB_IF proto tcp from any to <Rick> port 3389
pass out quick on $LAB_IF proto tcp from any to <Zhiyu> port 3389
pass out quick on $LAB_IF proto tcp from any to <TestBed2-3> port 3389
pass out quick on $LAB_IF proto tcp from any to <Juice> port 3389

But I don't understand why we need to configured the 'pass out' rule on '$LAB_IF'(Internal NIC)?
We do not block any out of packets on '$LAB_IF', right?
Would you please help me to clarify?

Thank you very much.
 
I think that as soon as you create a block rule on an interface, you have to explicitly create pass rules for other traffic (and vice versa, probably).

Example:

Code: 
block in log on em0 all

will also block all outbound traffic on em0.

With

Code: 
block in log on em0 all
pass out on em0 all

it works again.
 
You must log in or register to reply here.
Back
Top