rdr to 127.0.0.1 doesn't work
orpheus
eugenyuk at gmail.com
Sun May 13 14:25:20 UTC 2012
Hello, guys!
I am trying to configure redirection to 127.0.0.1 port 8025 (spamd service)
in pf but with no luck.
System:
FreeBSD 8.2-RELEASE amd 64
root ~ # sockstat -l | grep 8025
_spamd obspamd 32926 4 tcp4 127.0.0.1:8025 *:*
_spamd obspamd 32923 4 tcp4 127.0.0.1:8025 *:*
_spamd obspamd 32922 4 tcp4 127.0.0.1:8025 *:*
root ~ # ifconfig
igb0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>
ether 00:25:90:09:01:b2
media: Ethernet autoselect
status: no carrier
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>
ether 00:25:90:09:01:b3
inet 1.1.1.2 netmask 0xffffff00 broadcast 1.1.1.255
inet 1.1.1.3 netmask 0xffffffff broadcast 1.1.1.3
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33152
This is my /etc/pf.conf:
===
ext_if = "igb1"
tcp_services="{ 21, 25, 80, 110, 143, 443, 993, 995, 1178, 2224, 2222, 5666
}"
udp_services="{ 53 }"
icmp_types="{ echoreq, unreach }"
table <firewall> const { self }
set skip on lo0
rdr on $ext_if inet proto tcp from any to $ext_if port 25 -> 127.0.0.1 port
8025
block log all
pass in log inet proto tcp from any to 127.0.0.1 port 8025
pass in log on $ext_if inet proto tcp from any to $ext_if port 2224 keep
state (max-src-conn 10, max-src-conn-rate 5/60, overload <hammering> flush)
pass in log quick on $ext_if proto tcp from any to <firewall> port www
flags S/SA synproxy state
pass in log on $ext_if proto tcp from any to <firewall> port $tcp_services
flags S/SA synproxy state
pass in log on $ext_if proto { tcp, udp } from any to <firewall> port
$udp_services keep state
pass in log on $ext_if inet proto icmp all icmp-type $icmp_types keep state
pass in log quick on $ext_if proto tcp from any to any port 21 flags S/SA
keep state
pass out log on $ext_if proto tcp all modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp } all keep state
pass in log on lo0 inet proto tcp from any to 127.0.0.1 port 8025
pass in log on $ext_if inet proto tcp from any to $ext_if port smtp
pass out log on $ext_if proto tcp to port smtp
===
Then i am connecting to 127.0.0.1 from localhost:
root ~ # telnet 127.0.0.1 8025
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 m
And from remte host to my server to port 25:
[root at remoteunixadmin] ~# telnet 212.26.132.2 25
Trying 212.26.132.2...
Can't to connect.
Checking simultaneously pflogs:
root ~ # tcpdump -eni pflog0 dst port 8025
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
bytes
17:19:39.787682 rule 2/0(match): pass in on igb1: 46.16.229.18.33722 >
127.0.0.1.8025: tcp 28 [bad hdr length 0 - too short, < 20]
17:19:40.877001 rule 2/0(match): pass in on igb1: 112.234.161.49.26795 >
127.0.0.1.8025: [|tcp]
17:19:41.163942 rule 2/0(match): pass in on igb1: 117.241.70.9.4183 >
127.0.0.1.8025: [|tcp]
17:19:41.366829 rule 2/0(match): pass in on igb1: 117.244.3.240.63272 >
127.0.0.1.8025: tcp 28 [bad hdr length 0 - too short, < 20]
17:19:41.629751 rule 2/0(match): pass in on igb1: 113.162.244.56.3196 >
127.0.0.1.8025: [|tcp]
17:19:42.128182 rule 2/0(match): pass in on igb1: 123.213.32.15.2554 >
127.0.0.1.8025: [|tcp]
17:19:42.387051 rule 2/0(match): pass in on igb1: 211.177.83.30.1836 >
127.0.0.1.8025: tcp 32 [bad hdr length 0 - too short, < 20]
^C
7 packets captured
67 packets received by filter
0 packets dropped by kernel
So, seems like packets are redirecting but connection doesn't get to 8025
service, because spamd doesn't answer.
Actually this applies not only to spamd but to any service that listens on
127.0.0.1. I've tried to bind service on my external interface and then
redirection worked like a charm.
Please assist what's the problem?
big thanks!
More information about the freebsd-pf
mailing list