*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Slackware 10, Open BSD 3.6, Mac OS 10.3.7, Splack 10 beta
Posts: 393
Original Poster
Rep:
I set it up according to the man pages but it doesn't seem to be working. I have an apache webserver running on 10.0.0.4. I can see the apache page when i go directly to 10.0.0.1, through a web broswer, but when i go to 10.0.0.1 (the router which should be forwarding port 80 to 10.0.0.4) nothing comes up.
Code:
r# vi /etc/pf.conf
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#
# macros
int_if = "rl1"
ext_if = "rl0"
tcp_services = "{ 22, 80, 21, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
#rdr on $int_if proto tcp from any to any port 80 -> 10.0.0.4
# filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
When i uncomment the rdr line I am unable to access anything on port 80 and I still can't view webpage through the router's IP. What am i doing wrong.
Distribution: Slackware 10, Open BSD 3.6, Mac OS 10.3.7, Splack 10 beta
Posts: 393
Original Poster
Rep:
I solved half the problem, if i change the redirection line to read: rdr on $int_if proto tcp from any to ($int_if) port 80 -> 10.0.0.4. I can now access websites but when i try to access the apache page through the router my browser tries to load it but eventually times out.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
That's because you can't redirect traffic from a particular subnet back to that same subnet. Are you really trying to send all traffic coming from your internal network and going to port 80 back to another host on the internal network? Usually redirection is used to send traffic from the outside to a particular internal host, i.e. a rdr on the ext_if not the int_if.
Distribution: Slackware 10, Open BSD 3.6, Mac OS 10.3.7, Splack 10 beta
Posts: 393
Original Poster
Rep:
rdr on $ext_if proto tcp from any to ($int_if) port 80 -> 10.0.0.4. That still doesn't work. Basically want to do here is allow my server to be accessed by the outside world. If I have a webserver running on a subnet wouldn't the url of the gateway of the subnet show the webpage?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Why would the internal gateway IP display the web page that is hosted on another machine? What you need is
Code:
rdr on $ext_if proto tcp from any to ($ext_if) port http -> 10.0.0.4
Outside requests can't go to the IP of the internal gateway, because it's a non-routable address. No machines outside know that you have a 10.0.0.0 network inside, and even if they did they couldn't route packets across the Internet to it! The only IP outside machines have is your external IP (the IP assigned to $ext_if, i.e. ($ext_if)).
You'll also need to allow the redirected packets to pass through with one of the following:
Code:
pass in on $ext_if proto tcp from any to ($ext_if) port http flags S/SA keep state
or
pass in on $ext_if proto tcp from any to 10.0.0.4 port http flags S/SA synproxy state
Distribution: Slackware 10, Open BSD 3.6, Mac OS 10.3.7, Splack 10 beta
Posts: 393
Original Poster
Rep:
Code:
ext_if="rl0"
int_if="rl1"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr on $ext_if proto tcp from any to ($ext_if) port http -> 10.0.0.4
I just cut my /etc/pf.conf to nothing to just to test if i can forward the port. This still doens't work. I can't see the wepage through my external ip. I tried it will the pass statements suggested on chort's last post but i don't think i need them anymore because i got rid of the fire wall.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.