OpenBsd 5 port forwarding

openbsdpf

I'm trying to configure pf port forwarding on OpenBSD 5.0

The firewall machine has two nics:

em0: 192.168.200.3
vic0: 192.65.214.136

I would like to forward all packets comming into 192.168.200.3:104 to 192.65.214.131:104. Also I need to still have access to port 22, for ssh.

So far, the rules I've setup are as this:

set skip on lo

pass in log on em0 proto tcp from any to any port 104 rdr-to 192.65.214.131

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

By reading the log using tcpdump -n -e -ttt -r /var/log/pflog, I see thar rule 0 is matched, but the calling application does not receives the acknowledge it is expecting.

What I'm doing wrong?.

BTW. I can ping and telnet to 192.65.214.131.

Edit: Here's the new /etc/pf.conf, now it works. Thanks Falcon.

set skip on lo

pass in log on em0 proto tcp from any to any port 104 rdr-to 192.65.214.131
pass out on vic0 from em0:network to any nat-to vic0    
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

Edit: Mm, the nat-to rule only works when packets are sent from 192.168.200.x, but some packets are sent from 192.168.7.xxx, how can I allow those too?.

Thanks in advance,
Leonardo.

Best Answer

Make sure that the client interfaces are able to ping 192.65.214.131 as well as the server running pf, and that 192.65.214.131 is able to ping the client machines (or if ping is disabled for some reason, just make sure they have a route that works). One really common issue with these setups is that the packet can get to the host with the NAT's help, but if the NAT has only changed the destination address and not the source, or if it is intended only to redirect but the routing table doesn't show the way back, the packets can go only one way and you have an asymmetric routing failure.

Related Solutions

Help me upgrade the pf.conf for OpenBSD 4.7

Seems nobody could or was willing to help me... :(

But I managed to get it working myself. Here's the working pf.conf (works with OpenBSD 4.8)

#       $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="pppoe0"
int_if="nfe0"
int_net="192.168.0.0/24"

polemon="192.168.0.10"
poletopw="192.168.0.12"
segatop="192.168.0.20"

table <leechers> persist

set loginterface $ext_if
set skip on lo

match on $ext_if all scrub (no-df max-mss 1440)

altq on $ext_if priq bandwidth 950Kb queue {q_pri, q_hi, q_std, q_low}
queue q_pri priority 15
queue q_hi priority 10
queue q_std priority 7 priq(default)
queue q_low priority 0

block

match out on $ext_if from !($ext_if) nat-to ($ext_if)
pass in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in on $ext_if proto tcp to port 2080 rdr-to $segatop port 80
pass in on $ext_if proto tcp to port 2022 rdr-to $segatop port 22
pass in on $ext_if proto tcp to port 4000 rdr-to $polemon port 4000
pass in on $ext_if proto tcp to port 6600 rdr-to $polemon port 6600

anchor "ftp-proxy/*"

pass on $int_if queue(q_hi, q_pri)

pass out on $ext_if queue(q_std, q_pri)
pass out on $ext_if proto icmp queue q_pri
pass out on $ext_if proto {tcp, udp} to any port ssh queue(q_hi, q_pri)
pass out on $ext_if proto {tcp, udp} to any port http queue(q_std, q_pri)
#pass out on $ext_if proto {tcp, udp} all queue(q_low, q_hi)

pass out on $ext_if proto {tcp, udp} from <leechers> queue(q_low, q_std)

pass in on $ext_if proto tcp to ($ext_if) port ident queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port ssh queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port http queue(q_hi, q_pri)
pass in on $ext_if inet proto icmp all icmp-type echoreq queue q_pri

I had it working for over six months now. Since no one was posting an answer and this is basically working now, I decided to post my own solution. Given that this thread has over 1k views, this might help someone...

PF OpenBSD states

There are a number of things you can do here.

To see which hosts are responsible for the large number of state table entries you can do pfctl -vs state.

To add more state table entries you can do what you suggested (set limit states to a bigger number), but if there is an underlying issue you probably don't want to do that.

You can also consider adjusting the state timeout values (set timeout), possibly using adaptive timeouts, in order to get rid of old/stale states more quickly.

See the manpage for pf.conf and the manpage for pfctl for more information

Best Answer

Related Solutions

Help me upgrade the pf.conf for OpenBSD 4.7

PF OpenBSD states

Related Topic