Nat – OpenBSD 5.0 pf with NAT & Port Forwarding


Port forwarding does not seem to work properly, incoming connections apparently are blocked.

Is there something wrong with my pf.conf?

# Performance limits
set limit states 200000
set limit src-nodes 200000
set limit frags 1000000
set limit tables 20000
set limit table-entries 40000000

set skip on lo

ext_if = "re0"
int_if = "em0"

# Add UPnP rules
#anchor miniupnpd

server = ""
server_tcp = "{22, 8887, 9001, 9030}"
server_udp = "{8887, 9001, 9030}"

wwwserver = ""
wwwserver_tcp = "{80, 443}"
wwwserver_udp = "{}"

x79 = ""
x79_tcp = "{18887 }" 
x79_udp = "{18887 }"

t420 = ""
t420_tcp = "{9222 }"
t420_udp = "{9222 }"

## Bad syntax warnings.. ignore for the moment
#all_tcp = "{ $server_tcp $wwwserver_tcp $x79_tcp $t420_tcp }"
#all_udp = "{ $server_udp $wwwserver_udp $x79_udp $t420_udp }"
#pass out on $ext_if proto tcp to port $all_tcp
#pass out on $ext_if proto udp to port $all_udp

# Default rules
pass #to establish keep-state
block in on $ext_if
#pass in keep state
#pass out keep state

# Nat
pass out on $ext_if from $int_if:network to any nat-to ($ext_if) 

pass in on $ext_if proto tcp from any to any port $server_tcp rdr-to $server
pass in on $ext_if proto udp from any to any port $server_udp rdr-to $server

pass in on $ext_if proto tcp from any to any port $wwwserver_tcp rdr-to $wwwserver
#pass in on $ext_if proto udp from any to any port $wwwserver_udp rdr-to $wwwserver

pass in on $ext_if proto tcp from any to any port $x79_tcp rdr-to $x79
pass in on $ext_if proto udp from any to any port $x79_udp rdr-to $x79

pass in on $ext_if proto tcp from any to any port $t420_tcp rdr-to $t420
pass in on $ext_if proto udp from any to any port $t420_udp rdr-to $t420

Best Answer

I found the solution. A rdr-to must be followed with ip and port like 'rdr-to $ip port $port'

# OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# Resource limits ## root of all evil
set limit states 200000
set limit src-nodes 200000
set limit frags 1000000
set limit tables 20000
set limit table-entries 40000000
#set state-policy if-bound

set skip on lo

ext_if = "re0"
int_if = "em0"

# Add UPnP rules
anchor miniupnpd

server = ""
wwwserver = ""
x79 = ""
t420 = ""

# Default rules
pass #to establish keep-state
block in on $ext_if

# Nat
pass out on $ext_if from $int_if:network to !$int_if:network nat-to ($ext_if) 

pass in on $ext_if proto tcp from any to any port 22 rdr-to $server port 22
pass in on $ext_if proto {tcp, udp} from any to any port 8887 rdr-to $server port 8887
pass in on $ext_if proto {tcp, udp} from any to any port 9001 rdr-to $server port 9001
pass in on $ext_if proto {tcp, udp} from any to any port 9030 rdr-to $server port 9030

pass in on $ext_if proto tcp from any to any port 80 rdr-to $wwwserver port 80
pass in on $ext_if proto tcp from any to any port 443 rdr-to $wwwserver port 443

pass in on $ext_if proto {tcp, udp} from any to any port 18887 rdr-to $x79 port 18887

pass in on $ext_if proto {tcp, udp} from any to any port 9222 rdr-to $t420 port 9222
Related Topic