Re: [Nolug] openBSD pf help

From: Scott Harney <scotth_at_scottharney.com>
Date: Mon, 11 Apr 2005 23:43:19 -0500
Message-ID: <425B51E7.9000305@scottharney.com>

Dennis Bourn wrote:
> Hi list,

> rdr on $ext_if proto tcp from any to $ext_if port 80 -> $server \
> port 80

$server isn't set in your pf.conf.

This may work better:
$server="ip.ad.dr.es"
rdr on $ext_if inet proto tcp from any to ($ext_if) port 80 \
   -> $server port 80

However, my NAT inbound rule looks like this:
rdr on $ExtIF proto tcp from any to any port 80 -> 192.168.1.8 port 80

Also, the pf.conf below says "rdr pass on ..." instead of "rdr on". That
means that filters will not be applied to packets that match the rule --
probably not what you want. Also in my pf.conf that "nat on" rule comes
after the "rdr" rules.

> gives me this error
>
> # pfctl -f /etc/pf.conf
> /etc/pf.conf:30: port only applies to tcp/udp
> /etc/pf.conf:30: skipping rule due to errors
> /etc/pf.conf:30: rule expands to no valid combination
> pfctl: Syntax error in config file: pf rules not loaded
>
> Ive tried using :80 instead of "port 80", ive tried using my external ip
> in place of the second $ext_if, ive used the internal IP of my webserver
> inplace of $server,.. etc, etc, each time getting the same error.
>
> ill copy my entire pf.conf here to aid in troubleshooting,.. if anyone
> sees anything ive overlooked please let me know.
>
> Thanks in advance
> Dennis
> "ive got a headache this big *holds hands out* and its got BSD written
> all over it" i love you BSD but your killing me here
>
> --------------- begin pf.conf (ip sanitized even though it is in this
> emails headers) ---------------------------
>
> # Macros
> ext_if="fxp0"
> int_if="rl0"
>
> #table <spamd> persist
> #table <spamd-white> persist
>
> scrub in
>
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> #rdr pass on $ext_if proto tcp from <spamd> to port smtp \
> # -> 127.0.0.1 port spamd
> #rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
> # -> 127.0.0.1 port spamd
> rdr pass on $ext_if proto tcp from any to 1.2.3.4 port 80 \
> -> 192.168.1.3 port 80
> #rdr pass on $ext_if proto tcp from any to ($ext_if) port 21 ->
> 192.168.1.3:22
>
> block in
> pass out keep state
> pass in log from any to any port 80
>
> pass quick on { lo $int_if }
> antispoof quick for { lo $int_if }
>
> pass in on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep
> state
> pass in on $int_if proto tcp to ($int_if) port ssh keep state
> pass in log on $ext_if proto tcp to ($ext_if) port ssh keep state
> #rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> 192.168.1.2
> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state
>
> ------------ end pf.conf ------------------
>
>
>
> ___________________
> Nolug mailing list
> nolug@nolug.org
>

-- 
Scott Harney<scotth@scottharney.com>
"Asking the wrong questions is the leading cause of wrong answers"
gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
___________________
Nolug mailing list
nolug@nolug.org
Received on 04/11/05

This archive was generated by hypermail 2.2.0 : 12/19/08 EST