can't add a port forwarding
mouss
mouss at netoyen.net
Sat Nov 15 09:33:14 PST 2008
Bastien Semene wrote:
> Hi everyone,
>
> I'm currently facing a weird problem. I have a pf box acting as a
> gateway for some services and want to add a port forwarding for https.
>
> So I added the following rule :
>
> rdr pass on $ext_if proto tcp from any to any port 443 -> $atlas_ip
> //variables are correct since I have a similar rule for port 80.
>
> The "pfctl -s nat" shows this :
>
> nat on bge0 inet from 10.1.8.1 to any -> "external_interface_ip"
> rdr pass on bge0 inet proto tcp from any to any port = http -> 10.1.8.1
> rdr pass on bge0 inet proto tcp from any to any port = https -> 10.1.8.1
>
> An Nmap from outside shows this :
>
> # nmap -P0 -p80,443,17900 "external_interface_ip"
>
> Starting Nmap 4.20 ( http://insecure.org ) at 2008-11-04 16:22 CET
> Interesting ports on "external_interface_ip":
> PORT STATE SERVICE
> 80/tcp open http
> 443/tcp closed https
> 17900/tcp filtered unknown
>
maybe you allow port 80 but not 443 in your pf rules?
> I tried reloading pf rules with "pfctl -F all -f /etc/pf.conf",
> restarting the machine, but nothing changed. The securelevel is also at
> -1, so pf should take the changes into account.
> And of course the destination https server receives nothing on https port.
> http and preconfigured nat/forwards works perfectly.
>
> I tried to comment the "scrub in all" option, but because the rdr line
> doesn't seem to be affected, I'm not sure this one is.
>
> If someone has an idea or direction to follow I take every piece of
> thought.
> Thanks all.
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-pf
mailing list