rdr rule does not work (bad hdr length)

Max Laier max at love2party.net
Tue Nov 4 02:39:18 PST 2008 

On Tuesday 04 November 2008 10:15:26 Matthias Kellermann wrote:
> I'm trying to set up a simple rdr rule in pf (7.0-RELEASE-p5).
>
> I have two hosts - host a (192.168.0.250) and host b (192.168.0.10) - in
> a local network and want to forward one port from host a to host b.
>
> host a is the pf host. This is the rule to redirect traffic from host a
> to b:
>
> rdr proto tcp from any to 192.168.0.250 port 23 -> 192.168.0.10
> pass log (all) proto tcp from any to 192.168.0.10 port 23 synproxy state
>
> If I try to get a telnet connection from my client 192.168.0.51 the
> connection gets stuck and nothing happens. This is the output of tcpdump
> on the pflog0 interface:
>
> # tcpdump -netttvvi pflog0
> 000000 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id 26668,
> offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.51.54460 >
> 192.168.0.10.23: [|tcp]
> 000266 rule 0/0(match): pass out on sis0: (tos 0x10, ttl 64, id 25527,
> offset 0, flags [DF], proto TCP (6), length 44) 192.168.0.51.54460 >
> 192.168.0.10.23:  tcp 24 [bad hdr length 0 - too short, < 20]
>
> Anybody has an idea whats wrong here?

redirection only works if your pf box sees both directions of the connection.  
In your case, however, 192.168.0.10 probably knows how to contact 192.168.0.51 
directly.  So what happens is:

.51 -> SYN (src=.51,dst=.250) -> pf -> SYN (src=.51,dst=.10) -> .10

    <----------------------------  SYN/ACK (src=.10,dst=.51) <-

But .51 is waiting for a SYN/ACK from .250.  You can solve this by either:
 - moving .10 into a separate LAN for which the pf box is the default gw
 - userland reflection (e.g. nc(1) from inetd(8))
 - having your clients connect to the correct box in the first place
   (split horizon DNS etc.) 

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

More information about the freebsd-pf mailing list