Port redirection just not working!

Keith Bottner keith at barkinglizards.com
Wed Feb 1 07:56:53 PST 2006 

I am having a problem getting packet filter to redirect incoming traffic
destined for a specific IP and port to an internal DMZ host. Interestingly
enough I am not having a problem doing the same with SSH just with these
nonstandard ports. I was originally redirecting the traffic and then placing
filtering rules to pass the traffic but since I could not get that to work I
just tried having the redirection rules pass the traffic directly bypassing
the filtering rules, and this does NOT work either. I would appreciate any
insight someone can give me to what I am doing wrong as I have read the
manual several times and googled forever with no luck.
 
Any help would be appreciated,

Keith


My firewall has 3 nics, 1 external, 1 dmz, and 1 internal.
 
##########
# MACROS #
##########
 
ext_if="xl1"
ext_gw_addr="X.Y.Z.17"
 
ext_nat_addr="X.Y.Z.18"
 
ext_http_addr="X.Y.Z.19"
ext_ftp_addr="X.Y.Z.19"
ext_blits_addr="X.Y.Z.19"
 
ext_unused1_addr="X.Y.Z.20"
ext_unused2_addr="X.Y.Z.21"
ext_ea_addr="X.Y.Z.22"
 
# Internal (Intranet)
int_if="xl0"
int_net="192.168.1.0/24"
 
# DMZ
dmz_if="vr0"
dmz_net="10.11.13.0/24"
 
dmz_http_addr="10.11.13.100"
dmz_ftp_addr="10.11.13.100"
dmz_nimb_addr="10.11.13.106"
dmz_clip_addr="10.11.13.103"
 
dmz_three_addr="10.11.13.203"
dmz_four_addr="10.11.13.204"
dmz_five_addr="10.11.13.205"
 
##########
# TABLES #
##########
table <priv_nets> const { 127/8, 10/8, 172.16/12, 192.168/16 }
table <firewall> const { X.Y.Z.18, X.Y.Z.19, X.Y.Z.20, X.Y.Z.21}
 
#################
# NORMALIZATION #
#################
scrub in all fragment reassemble

############
# QUEUEING #
############
 
###############
# TRANSLATION #
###############
# FTP Active connnections 
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
 
# NAT workstations
nat on $ext_if from $int_net to any -> $ext_nat_addr
 
# NAT servers external requests
nat on $ext_if from $dmz_net to any -> $ext_nat_addr
 
###############
# REDIRECTION #
###############
 
# *********** DOES NOT WORK - START ***********
rdr pass on $ext_if proto tcp from any to $ext_http_addr port 9874 ->
$dmz_clip_addr
rdr pass on $int_if proto tcp from any to $ext_http_addr port 9874 ->
$dmz_clip_addr
 
rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4030:4034 ->
$dmz_three_addr
rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4030:4034 ->
$dmz_three_addr
 
rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4040:4044 ->
$dmz_four_addr
rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4040:4044 ->
$dmz_four_addr
 
rdr pass on $ext_if proto tcp from any to $ext_blits_addr port 4050:4054 ->
$dmz_five_addr
rdr pass on $int_if proto tcp from any to $ext_blits_addr port 4050:4054 ->
$dmz_five_addr
# *********** DOES NOT WORK - END ***********


rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
 
rdr on $ext_if proto tcp from any to $ext_if port http -> $dmz_http_addr
port http
rdr on $int_if proto tcp from any to $ext_http_addr port http ->
$dmz_http_addr port http
 

rdr on $ext_if proto tcp from any to $ext_http_addr port ssh ->
$dmz_http_addr
rdr on $int_if proto tcp from any to $ext_http_addr port 200 ->
$dmz_http_addr port ssh
rdr on $ext_if proto tcp from any to $ext_http_addr port 1666 ->
$dmz_nimb_addr port ssh
rdr on $int_if proto tcp from any to $ext_http_addr port 1666 ->
$dmz_nimb_addr port ssh
rdr on $ext_if proto tcp from any to $ext_http_addr port 220 ->
$dmz_clip_addr port ssh
rdr on $int_if proto tcp from any to $ext_http_addr port 220 ->
$dmz_clip_addr port ssh
rdr on $ext_if proto tcp from any to $ext_http_addr port 223 ->
$dmz_three_addr port ssh
rdr on $int_if proto tcp from any to $ext_http_addr port 223 ->
$dmz_three_addr port ssh
rdr on $ext_if proto tcp from any to $ext_http_addr port 224 ->
$dmz_four_addr port ssh
rdr on $int_if proto tcp from any to $ext_http_addr port 224 ->
$dmz_four_addr port ssh
rdr on $ext_if proto tcp from any to $ext_http_addr port 225 ->
$dmz_five_addr port ssh
rdr on $int_if proto tcp from any to $ext_http_addr port 225 ->
$dmz_five_addr port ssh
 
rdr on $ext_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr
port 21
rdr on $ext_if proto tcp from any to $ext_ftp_addr port 30000:30999 ->
$dmz_ftp_addr
 
rdr on $int_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr
port 21
rdr on $int_if proto tcp from any to $ext_ftp_addr port 30000:30999 ->
$dmz_ftp_addr
 
#############
# FILTERING #
#############
 
block in log all
block out log all
pass quick on lo0 all
block in log quick on $ext_if from <priv_nets> to any
block out quick on $ext_if from any to <priv_nets>
antispoof quick for { $int_if, $dmz_if } inet
pass in on $ext_if proto tcp from any to $dmz_http_addr port http flags S/SA
synproxy state
 
pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user proxy
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
 
anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp from port ftp-data to $ext_nat_addr user
proxy flags S/SA keep state
 
pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port 21 keep
state
pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port > 29999
keep state
pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port 21 keep
state
pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port > 29999
keep state
 

pass in log on $ext_if proto tcp from any to $dmz_http_addr port ssh flags
S/SA synproxy state
pass in log on $ext_if proto tcp from any to $dmz_nimb_addr port ssh flags
S/SA synproxy state
pass in log on $ext_if proto tcp from any to $dmz_clip_addr port ssh flags
S/SA synproxy state
pass in log on $ext_if proto tcp from any to $dmz_three_addr port ssh flags
S/SA synproxy state
pass in log on $ext_if proto tcp from any to $dmz_four_addr port ssh flags
S/SA synproxy state
pass in log on $ext_if proto tcp from any to $dmz_five_addr port ssh flags
S/SA synproxy state
 

# *********** HERE ARE THE OLD RULES I WAS USING BEFORE I DECIDED TO REMOVE
THEM AND JUST PASS IN
# *********** THE REDIRECTION RULES ABOVE. INCLUDED THEM HERE FOR
COMPLETENESS.
#pass in on $ext_if proto tcp from any to $dmz_clip_addr port 9874
#pass in on $ext_if proto tcp from any to $dmz_three_addr port { 4030 4031
4032 4033 4034 } flags S/SA synproxy state
#pass in on $ext_if proto tcp from any to $dmz_four_addr port { 4040 4041
4042 4043 4044 } flags S/SA synproxy state
#pass in on $ext_if proto tcp from any to $dmz_five_addr port { 4050 4051
4052 4053 4054 } flags S/SA synproxy state
 

pass in on $int_if from $int_net to any keep state
pass in on $dmz_if from $dmz_net to any keep state
pass out on $dmz_if from any to $dmz_net keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

More information about the freebsd-pf mailing list