OpenBSD pf port forwarding multiple rules

openbsdpfport-forwarding

I have a few dozen servers behind OpenBSD firewall with port forwarding. Most rules are very similar and differ only in IPs or sometimes in ports forwarded, so I want to compact them to remove excessive repetition but I've found that it is impossible to use tables with rdr-to rules. Is there any way to improve this configuration? May be there is option to use pf macros to generate multiple rules at once? I can't use external preprocessor at the moment.

Example set of rules:

pass in  on $extif proto tcp from any     to 10.0.0.213   port {25,80,443} rdr-to 172.16.1.193
pass in  on $intif proto tcp from $intnet to 10.0.0.213   port {25,80,443} rdr-to 172.16.1.193
pass out on $intif proto tcp from any     to 172.16.1.193 port {25,80,443} received-on $intif nat-to $intif

pass in  on $extif proto tcp from any     to 10.0.0.214   port {25,80,443} rdr-to 172.16.1.194
pass in  on $intif proto tcp from $intnet to 10.0.0.214   port {25,80,443} rdr-to 172.16.1.194
pass out on $intif proto tcp from any     to 172.16.1.194 port {25,80,443} received-on $intif nat-to $intif

pass in  on $extif proto tcp from any     to 10.0.0.215   port {25,80,443,3389} rdr-to 172.16.1.195
pass in  on $intif proto tcp from $intnet to 10.0.0.215   port {25,80,443,3389} rdr-to 172.16.1.195
pass out on $intif proto tcp from any     to 172.16.1.195 port {25,80,443,3389} received-on $intif nat-to $intif

Best Answer

From the pf.conf(5) manpage:

Translation options apply only to packets that pass through the specified interface, and if no interface is specified, translation is applied to packets on all interfaces. For instance, redirecting port 80 on an external interface to an internal web server will only work for connections originating from the outside. Connections to the address of the external interface from local hosts will not be redirected, since such packets do not actually pass through the external interface. Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself.

You might be able to condense some of your rules by not specifying which interface you want the re-direction to take place on and allow pf to evaluate it for you.

For example:

pass in on $extif proto tcp from any to 10.0.0.213 port {25,80,443} rdr-to 172.16.1.193
pass in on $intif proto tcp from $intnet to 10.0.0.213 port {25,80,443} rdr-to 172.16.1.193

Could be re-written as:

pass in proto tcp from any to 10.0.0.213 port {25, 80, 443} rdr-to 172.16.1.193

Inbound traffic destined for 10.0.0.213 on $extif will be redirected to 172.16.1.193.
Inbound traffic destined for 10.0.0.213 on $intif will be redirected to 172.16.1.193.
This will also allow traffic that is not part of $intnet to happily be redirected as well. This may or may not desirable.

Without seeing your entire ruleset or really knowing what you're trying to accomplish I can only offer a proof-of-concept example.

One final note: I would really avoid doing this. There is a tendency (at least I have it) to want to write the fewest rules possible by having one rule do more than "one thing". This is bad. Firewalls are already frightfully complicated and seemly always misconfigured; why make it harder on yourself by crafting a byzantine ruleset? A longer ruleset with simpler rules will be easier to understand, maintenance and debug. Avoid the temptation to be overly clever.

Related Solutions

Nat – OpenBSD 5.0 pf with NAT & Port Forwarding

I found the solution. A rdr-to must be followed with ip and port like 'rdr-to $ip port $port'

# OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# Resource limits ## root of all evil
set limit states 200000
set limit src-nodes 200000
set limit frags 1000000
set limit tables 20000
set limit table-entries 40000000
#set state-policy if-bound


set skip on lo

ext_if = "re0"
int_if = "em0"

# Add UPnP rules
anchor miniupnpd

server = "192.168.1.250"
wwwserver = "192.168.1.99"
x79 = "192.168.1.100"
t420 = "192.168.1.251"


# Default rules
pass #to establish keep-state
block in on $ext_if


# Nat
pass out on $ext_if from $int_if:network to !$int_if:network nat-to ($ext_if) 

pass in on $ext_if proto tcp from any to any port 22 rdr-to $server port 22
pass in on $ext_if proto {tcp, udp} from any to any port 8887 rdr-to $server port 8887
pass in on $ext_if proto {tcp, udp} from any to any port 9001 rdr-to $server port 9001
pass in on $ext_if proto {tcp, udp} from any to any port 9030 rdr-to $server port 9030

pass in on $ext_if proto tcp from any to any port 80 rdr-to $wwwserver port 80
pass in on $ext_if proto tcp from any to any port 443 rdr-to $wwwserver port 443

pass in on $ext_if proto {tcp, udp} from any to any port 18887 rdr-to $x79 port 18887

pass in on $ext_if proto {tcp, udp} from any to any port 9222 rdr-to $t420 port 9222

OpenBsd 5 port forwarding

Make sure that the client interfaces are able to ping 192.65.214.131 as well as the server running pf, and that 192.65.214.131 is able to ping the client machines (or if ping is disabled for some reason, just make sure they have a route that works). One really common issue with these setups is that the packet can get to the host with the NAT's help, but if the NAT has only changed the destination address and not the source, or if it is intended only to redirect but the routing table doesn't show the way back, the packets can go only one way and you have an asymmetric routing failure.

Best Answer

Related Solutions

Nat – OpenBSD 5.0 pf with NAT & Port Forwarding

OpenBsd 5 port forwarding

Related Topic