*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hello, im trying to configure a openbsd router for my server network. i have internet access from my clients and the dhcp works in the range 192.168.1.1-> 192.168.1.250, but the port forwarding dosent seem to work, im able to ssh into my external ip into openbsd, but the portforwarding dosent want to forward ssh to my web server, or the other ports, 80, 443 etc.
here are my settings:
dhcpd.conf
shared-network RUTER-LAN {
############################
# The three lines below are to specify the shared resources
# Specify the subnet to give ips on and the netmask
# given with the ip address
############################
subnet 192.168.1.0 netmask 255.255.255.0 {
#specify the subnet again (see below NB***)
option subnet-mask 255.255.255.0;
#specify the broadcast address for the subnet
option broadcast-address 192.168.1.255;
#specify the gateway to use
option routers 192.168.1.1;
range 192.168.1.2 192.168.1.250;
}
}
/etc/mygate:
*MY EXTERNAL IP*
pf.conf:
# Set network interfaces
ext_if="em0" #internet
int_if="em1" #LAN
wwwserver = "192.168.1.2"
# Skip all loopback traffic
set skip on lo
# DEFAULT IS BLOCK IN FROM INTERNET, PASS ALL ELSE
block log all
pass on $int_if all
pass out on $ext_if all
# Allow inbound traffic on internal interface
pass quick on $int_if
# Protect against spoofing
antispoof quick for { lo $int_if }
# Nat
#pass out on $ext_if from $int_if:network to !$int_if:network nat-to ($ext_if)
#match out on $ext_if from $lan_ip nat-to ($ext_if)
pass out on $ext_if from $int_if:network to any nat-to ($ext_if)
pass in on $ext_if proto {tcp, udp} from any to any port 80 rdr-to $wwwserver port 80
ALSO TRIED:
#pass in on $ext_if proto tcp from any to any port 80 rdr-to $wwwserver port 80
pfctl -s rules says:
pass in on em0 inet proto tcp from any to any port = 80 flags S/SA rdr-to 192.168.1.2 port 80
pass in on em0 inet proto udp from any to any port = 80 rdr-to 192.168.1.2 port 80
please help me to get port forwarding work?
and yes, i have 4 virtual guest OS, ubuntu/linux, and they are not getting a ip from openbsd dhcp server, with bridged adapter.
pass in quick on $ext_if proto { tcp } from any to any port { 80 } flags S/SA rdr-to $wwwserver
If you tcpdump on the *internal* interface and attempt to connect externally, do you see traffic? If so, do you see *return* traffic if you tcpdump on the external interface and attempt to connect?
it works! thank you. im completely newbie with openbsd, im familiar with ubuntu. bet when i use the same pass rule with 443 i got pf error out of range.
how could i fix this? thank you
pf is not iptables. IIRC, iptables is a "first-match" system, where the first rule that matches is the one that ends the ruleset walk. pf is a "best-match" by default, but when you add the word "quick" to the rule *that rule* becomes a "first-match" (i.e. if a packet matches that rule, process that rule and end there, like iptables).
Since state lookups are so incredibly fast in pf, the ruleset should only be referenced with new traffic. It almost sounds like you had state turned off, though I don't see that in your ruleset and you are on a recent enough version of OpenBSD that pf is stateful by default.
ok, i have a bit more understanding of pf now, but im have some problems on my local network. i cant visit mydomain.com when i am on my local network, but if im on another network it works as it should. what kind of rule do i need for this forwarding?
thank you petter
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.