LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 10-23-2004, 06:29 PM   #1
zaicheke
Member
 
Registered: Apr 2004
Distribution: Slackware 10, Open BSD 3.6, Mac OS 10.3.7, Splack 10 beta
Posts: 393

Rep: Reputation: 30
Port Fowarding


How would i go about port forwarding in openbsd?
 
Old 10-24-2004, 12:24 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
$ man pf.conf

You're looking for rdr. Have you tried looking at The PF User's Guide?
 
Old 10-24-2004, 01:16 AM   #3
zaicheke
Member
 
Registered: Apr 2004
Distribution: Slackware 10, Open BSD 3.6, Mac OS 10.3.7, Splack 10 beta
Posts: 393

Original Poster
Rep: Reputation: 30
Thanks i found it.
 
Old 10-24-2004, 03:26 PM   #4
zaicheke
Member
 
Registered: Apr 2004
Distribution: Slackware 10, Open BSD 3.6, Mac OS 10.3.7, Splack 10 beta
Posts: 393

Original Poster
Rep: Reputation: 30
I set it up according to the man pages but it doesn't seem to be working. I have an apache webserver running on 10.0.0.4. I can see the apache page when i go directly to 10.0.0.1, through a web broswer, but when i go to 10.0.0.1 (the router which should be forwarding port 80 to 10.0.0.4) nothing comes up.

Code:
r# vi /etc/pf.conf                                                       

# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $

#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#


# macros
int_if = "rl1"
ext_if = "rl0"

tcp_services = "{ 22, 80, 21, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
#rdr on $int_if proto tcp from any to any port 80 -> 10.0.0.4


# filter rules
block all

pass quick on lo0 all

block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
When i uncomment the rdr line I am unable to access anything on port 80 and I still can't view webpage through the router's IP. What am i doing wrong.
 
Old 10-24-2004, 03:57 PM   #5
zaicheke
Member
 
Registered: Apr 2004
Distribution: Slackware 10, Open BSD 3.6, Mac OS 10.3.7, Splack 10 beta
Posts: 393

Original Poster
Rep: Reputation: 30
I solved half the problem, if i change the redirection line to read: rdr on $int_if proto tcp from any to ($int_if) port 80 -> 10.0.0.4. I can now access websites but when i try to access the apache page through the router my browser tries to load it but eventually times out.

Last edited by zaicheke; 10-24-2004 at 04:14 PM.
 
Old 10-24-2004, 07:25 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
That's because you can't redirect traffic from a particular subnet back to that same subnet. Are you really trying to send all traffic coming from your internal network and going to port 80 back to another host on the internal network? Usually redirection is used to send traffic from the outside to a particular internal host, i.e. a rdr on the ext_if not the int_if.
 
Old 10-24-2004, 08:49 PM   #7
zaicheke
Member
 
Registered: Apr 2004
Distribution: Slackware 10, Open BSD 3.6, Mac OS 10.3.7, Splack 10 beta
Posts: 393

Original Poster
Rep: Reputation: 30
rdr on $ext_if proto tcp from any to ($int_if) port 80 -> 10.0.0.4. That still doesn't work. Basically want to do here is allow my server to be accessed by the outside world. If I have a webserver running on a subnet wouldn't the url of the gateway of the subnet show the webpage?
 
Old 10-24-2004, 11:12 PM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Why would the internal gateway IP display the web page that is hosted on another machine? What you need is
Code:
rdr on $ext_if proto tcp from any to ($ext_if) port http -> 10.0.0.4
Outside requests can't go to the IP of the internal gateway, because it's a non-routable address. No machines outside know that you have a 10.0.0.0 network inside, and even if they did they couldn't route packets across the Internet to it! The only IP outside machines have is your external IP (the IP assigned to $ext_if, i.e. ($ext_if)).

You'll also need to allow the redirected packets to pass through with one of the following:
Code:
pass in on $ext_if proto tcp from any to ($ext_if) port http flags S/SA keep state
or
pass in on $ext_if proto tcp from any to 10.0.0.4 port http flags S/SA synproxy state
 
Old 10-25-2004, 05:38 PM   #9
zaicheke
Member
 
Registered: Apr 2004
Distribution: Slackware 10, Open BSD 3.6, Mac OS 10.3.7, Splack 10 beta
Posts: 393

Original Poster
Rep: Reputation: 30
Code:
ext_if="rl0"
int_if="rl1"

nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr on $ext_if proto tcp from any to ($ext_if) port http -> 10.0.0.4
I just cut my /etc/pf.conf to nothing to just to test if i can forward the port. This still doens't work. I can't see the wepage through my external ip. I tried it will the pass statements suggested on chort's last post but i don't think i need them anymore because i got rid of the fire wall.
 
Old 10-25-2004, 06:05 PM   #10
zaicheke
Member
 
Registered: Apr 2004
Distribution: Slackware 10, Open BSD 3.6, Mac OS 10.3.7, Splack 10 beta
Posts: 393

Original Poster
Rep: Reputation: 30
I got it working. My DHCP lease ran out and my router assigned it a different address. Thanks a lot chort.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squid port fowarding SiLiCoN Linux - Security 3 06-24-2005 07:42 PM
Fowarding port 80 ? Drogo Linux - Networking 13 05-28-2003 03:16 AM
Port Fowarding. Arisen Sun Linux - Security 1 05-23-2003 06:48 PM
SSH port fowarding magyartoth Linux - Networking 10 05-01-2002 02:27 PM
Port Fowarding(Ip FORWARDING sdunn Linux - Networking 0 08-20-2001 09:12 AM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 09:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration