Hi all,

I am really in stuck, I cannot understand what I am doing wrong. I am playing with pf/nat/rdr but something is wrong.


I have net ( testing net ) like this



laptop---ext_if----|openBSD-1|--int_if1------IF2---|openBSD-2|---


laptop=192.168.1.44/24
ext_if=192.168.1.120/24
int_if=172.16.1.10/12
IF2=172.16.1.20/12

On OpenBSD-2 I have web server, and on OpenBSD-1 I have pf rules as below.
I want to make to connect to web server ( openBSD2 ) from laptop, nat + rdr.
I used manual at http://www.openbsd.org/faq/pf/example1.html
but from laptop I cannot connect to web server and get web page.
Any suggestion is welcome, what I have made wrong.

Thank you in advance for any comment. I had enabled on openBSD-1 in sysctl.conf packet forwarding.
This is testing at my home, but really do not understand what is wrong

Regards

ext_if="fxp0"
int_if="rl1"

tcp_services="{22,80}"
icmp_types="echoreq"

web_server="172.16.1.20"
ext_add="192.168.1.120"

#set block-policy return
set loginterface $ext_if
set loginterface $int_if

scrub in


nat on $ext_if from $int_if to any ->($ext_if)
rdr on $ext_if proto tcp from any to $ext_add port 80 -> $web_server port 80

block in on $ext_if
pass out keep state

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $web_server port 80 flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if

I don't see anything obvious right off hand. The best bet is to simultaneously run a tcpdump on rl1 of OpenBSD-1, and also on OpenBSD-2. See if the packets match up. Also, make sure you have logging setup for PF and check to see if packets are being discarded for some reason:
http://www.openbsd.org/faq/pf/logging.html

PS What's the output of:?

Hi Chort, thank you for answer; I did some debeuging before and packets come to openBSD-2, but on laptop I did not get web page. I just want to make this traffic redirection and leter on use it for my home firewall. But for some reason I cannot find out what could be reason not to get web page.

Anyway thank you very much for comments.

Kind regards

on rl0 on openBSD-2 :

tcpdump -i rl0 not port 22
tcpdump: listening on rl0, link-type EN10MB
22:34:34.234288 192.168.1.1.36412 > 172.16.1.20.www: S 1417226230:1417226230(0) win 0 <mss 1460> (DF) [tos 0x10]


on openBSD-1 on rl1 :
tcpdump -i rl1 not port 22
tcpdump: listening on rl1, link-type EN10MB
09:31:54.366154 192.168.1.1.36412 > 172.16.1.20.www: S 1417226230:1417226230(0) win 0 <mss 1460> (DF) [tos 0x10]


and on fxp0 on openBSD-1--interface I am connected with my laptop on :
09:31:54.365998 192.168.1.1.36412 > 192.168.1.120.www: S 962803895:962803895(0) win 5840 <mss 1460,sackOK,timestamp 304736 0,nop,wscale 6> (DF)
09:31:54.366038 192.168.1.120.www > 192.168.1.1.36412: S 1746605498:1746605498(0) ack 962803896 win 0 <mss 1460> (DF) [tos 0x10]
09:31:54.366128 192.168.1.1.36412 > 192.168.1.120.www: . ack 1 win 5840 (DF)


output of pf rules is :

pfctl -g -s rules| grep '^@'
@0 scrub in all fragment reassemble
@0 block drop in on fxp0 all
@1 pass in on fxp0 inet proto tcp from any to (fxp0:1) port = ssh flags S/SA keep state
@2 pass in on fxp0 inet proto tcp from any to (fxp0:1) port = www flags S/SA keep state
@3 pass out all flags S/SA keep state
@4 pass in on fxp0 inet proto tcp from any to 172.16.1.20 port = www flags S/SA synproxy state
@5 pass in inet proto icmp all icmp-type echoreq keep state
# pfctl -sr
scrub in all fragment reassemble
block drop in on fxp0 all
pass in on fxp0 inet proto tcp from any to (fxp0) port = ssh flags S/SA keep state
pass in on fxp0 inet proto tcp from any to (fxp0) port = www flags S/SA keep state
pass out all flags S/SA keep state
pass in on fxp0 inet proto tcp from any to 172.16.1.20 port = www flags S/SA synproxy state
pass in inet proto icmp all icmp-type echoreq keep state
# pfctl -sn
nat on fxp0 inet from 172.16.1.10 to any -> (fxp0) round-robin
rdr on fxp0 inet proto tcp from any to 192.168.1.120 port = www -> 172.16.1.20 port 80

Hi people,

I do not have big BSD knowledge, but problem I had ( please read previous posts ) was resolved when I replaced openBSD-2 with debian-linux web server.
It was only change and I am wondering what it could be why witg same PF rules, I was not able to get web page when there was openBSD-2 ( openBSD ) and was able when I set up linux server there.
The main reason I want to migrate to openBSD is security, ( Welcome to OpenBSD: The proactively secure Unix-like operating system ...right ), and I am asking you with more experinece than me, are there some limitations on default installation, and so on.
All works as expeced when for web server is placed on Linux/Debian instead on openBSD.
I will continue to work on this, in case I find what is root cause, I will post it here.


With regards,

So the synproxy part is working, it's completing the 3-way handshake, but OpenBSD-2 isn't responding to the SYN that gets passed to it. Is OpenBSD-2 running PF as well? It seems to be dropping packets (or routing them out a different interface?).

Does the rule work if you change "synproxy state" to "modulate state"? If so, you can try adding these:Oh, PS your NAT rule is wrong!

It should be like this:Note the difference is instead of specifying $int_if (the internal interface, which expands to just the IP address of the internal interface), you want to specify the network that the internal interface is on, so traffic from any IP on that network get's NAT'd when it traverses the firewall.

Also, does OpenBSD-2 have it's default route pointed to 172.16.1.10? It should.

Either you were running PF on OpenBSD-2 and dropping all, or you did not have your default route set on OpenBSD-2. It was a problem with the configuration on that machine, because it was never responding to the incoming SYN packets.

Hi,

I suppose I had wrong default gateway, because PF on openBSD-2 machine was not enabled.
Thank you for commnets.
Kind regards ...

I checked, it was misconfigured df gw. It works now

Excellent, glad you got it working

But thanks goes to you for suggestions and help.
After I installed OpenBSD on some servers ( replacing Debian, which was/is also super ) I have plan to use OpenBSD more, it is really fantastic operating system.

Thank you againg for help

Kind regards