From: Imre Oolberg (imreauul.pri.ee)
Date: Thu Aug 21 2008 - 16:28:05 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hallo!

My guess is you dont get anything logged since you pass with rdr rules.
Maybe it is cleaner to keep translation and filtering separate, e.g.
have translation rules like this

rdr on $ext_if proto tcp from any to $webby_ip port 80 -> $webby_server
port 80

And then you need to pass not to the external interface's ip address but
to where is your so to say real server, e.g. rule

pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state

should rather read

pass in on $ext_if proto tcp from any to $webby_server port 80 keep state

And also note that rule like this works when there aint other rules what
matches the package. Maybe it is more straight-forward at least for
debugging to add to it 'quick' keyword which makes the rule match no
matter what follows, like this

pass in quick on $ext_if proto tcp from any to $webby_server port 80
keep state

Imre

Parvinder Bhasin wrote:
> List,
>
> I am having some issues while redirecting traffic to port 80 on the
> $squid_server.
>
> I have this server serving two purpose: apache web server and squid
> server. I can definately get to the PROXY services fine but cannot get
> to the WWW (port 80) on the same server.
>
> Another issue is that when I try to actively look at the pflog by
> running "tcpdump -n -e -ttt -i pflog0 " , I don't get anything even
> when the traffic is passing and/or getting blocked.
>
> Any help is highly appreciated.
>
> thx.
>
>
> For this I have the following pf config:
>
>
> ext_if="sk0"
> int_if="gem0"
> pf_log="pflog0"
> webby
> set skip on enc0
> set skip on gre0
>
> external_ip="70.40.22.17"
> external_ips="{70.40.22.17 70.40.22.18 70.40.22.19}"
> external_net="{70.40.22.17 70.40.22.18 70.40.22.19}"
>
>
> internal_ip="172.16.10.10"
> internal_networks="{172.16.10.0/24 172.16.100.0/24 172.16.200.0/24}"
>
> webby_ip="70.40.22.18"
> webby_server="172.16.10.11"
>
> squid_ip="70.40.22.19"
> squid_server="172.16.10.12"
>
> # block_ip="70.40.22.20"
> block_server="172.16.10.12"
>
> ######TABLES########
> table <bruteforce> persist
> table <kiddies> persist
>
> #### OPTIONS #####
> set loginterface $ext_if
> set loginterface $int_if
> scrub in
>
> #### NAT/REDIRECTS ####
>
> nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
>
> # rdr pass on $ext_if proto tcp from any to $block_ip port 80 ->
> $squid_server port 80
> rdr pass on $ext_if proto tcp from any to $webby_ip port 80 ->
> $webby_server port 80
> rdr pass on $ext_if proto tcp from any to $webby_ip port 443 ->
> $webby_server port 443
> rdr pass on $ext_if proto tcp from any to $squid_ip port 3128 ->
> $squid_server port 3128
> rdr pass on $ext_if proto tcp from any to $squid_ip port 80 ->
> $squid_server port 80
>
> ###### FILTERS #####
> block log quick from <bruteforce>
> block log quick from <kiddies>
> block in log on $pf_log
>
>
> # pass in quick on $int_if
> pass out keep state
>
> pass in on $ext_if proto icmp from any to $external_ip keep state
> pass in on $ext_if proto tcp from any to $external_ip port ssh keep state
> pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
> pass in on $ext_if proto tcp from any to $webby_ip port 443 keep state
> pass in log (all, to $pf_log) on $ext_if proto tcp from any to
> $squid_ip port 3128 keep state
> pass in on $ext_if proto tcp from any to $squid_ip port 80 keep state
> # pass in on $ext_if proto tcp from any to $block_ip port 80 keep state
> pass in on $ext_if proto tcp from any to $external_ips port 22 keep state
> pass inet proto tcp from any to $external_net port 22 flags S/SA keep
> state (max-src-conn 25, max-src-conn-rate 15/5, overload <bruteforce>
> flush global)
> # block in quick on $ext_if

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]