The UNIX and Linux Forums  
Hello and Welcome from United States to the UNIX and Linux Forums! Thank You for Visiting and Joining Our Global Community.

Go Back   The UNIX and Linux Forums > Special Forums > Security
PF wont open port despite rules... PF wont open port despite rules...
.
google unix.com

Forums Register Forum RulesLinksAlbums FAQ Members List Calendar Search Today's Posts Mark Forums Read


Security Discuss UNIX and Linux computer and network security, cybersecurity, cyberattacks, IT security, CISSP, OWASP and more.

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
How to open a port in AIX sanju_d1231 AIX 2 05-07-2008 04:38 AM
How to open SSH port on firewall? pjewett SUN Solaris 3 02-18-2008 01:00 PM
open port mm00123 Linux 5 08-27-2007 03:43 AM
Solaris 8 to many open port hezry79 SUN Solaris 3 03-29-2006 06:59 PM
open an port on freebsd jurrien High Level Programming 0 12-04-2002 09:40 AM

Closed Thread
English Japanese Spanish French German Portuguese Italian Dutch Swedish Russian Norwegian Hungarian Hebrew Danish Powered by Powered by Google
 
LinkBack Thread Tools Search this Thread Rate Thread Display Modes
  #1 (permalink)  
Old 06-24-2008
Dain_L Dain_L is offline
Registered User
  
 

Join Date: Jun 2008
Posts: 1
Question PF wont open port despite rules...
Hello,

I just dont get it. I have a PF firewall on my DSL connection with 3 internal network interfaces. On one of the internal networks (LNETTR) theres a web server and a smtp server.

However; despite redirections and filtering rules it doesn't work. The ports redirected does not open. If I scan myself all ports are still STEALTH and I cannot connect to them.
Web surf and any outgoing traffic I allow works perfectly.

Any help would be appreciated. My pf.conf below.
Thnx in advance.

/U

Quote:
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $


# 1. Macros
lo_if = "lo0"

ext_if = "rl0"

UNET_if = "vr0"
UNET_network = "10.20.0.32/27"

LNETTR_if = "rl1"
LNETTR_network = "10.20.0.64/27"

# PUBNET_if = "rl2"
# PUBNET_network "10.20.0.96/27"

internal_networks = "{ 10.20.0.32/27, 10.20.0.64/27 }"
reserved_networks = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

tcpservices = "{ 22, 21, 25, 80, 443, 1863, 5190 }"
udpservices = "{ 53 }"


# 2. Tables
# Tomt.

# 3. Options
set limit { states 50000, frags 50000 }
set block-policy drop
set optimization aggressive
# set loginterface $ext_if
set skip on $lo_if

# 4. Packet normalization
scrub in all

# 5. Queueing

# 6. Translation
nat on $ext_if from $internal_networks -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $UNET_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr pass on $LNETTR_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# rdr pass on $PUBNET_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> <server ip> port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> <server ip> port 25
rdr on $ext_if proto tcp from any to ($ext_if) port 53 -> <server ip> port 53



# 7. Filtering


block in all
block out all

block in quick on $ext_if from $reserved_networks to any
block out quick on $ext_if from any to $reserved_networks
block return in log quick on $UNET_if proto tcp from ! x.x.x.x to $UNET_if port 22

pass in on {$UNET_if, $LNETTR_if} proto tcp from $internal_networks to any port $tcpservices
pass in on {$UNET_if, $LNETTR_if} proto udp from $internal_networks to any port $udpservices

pass in on $ext_if proto tcp from any to ($ext_if) port 80 synproxy state
pass in on $ext_if proto tcp from any to ($ext_if) port 25

pass out on $LNETTR_if all
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state


anchor "ftp-proxy/*"
antispoof for { $ext_if, $UNET_if, $LNETTR_if }

#EOF
  #2 (permalink)  
Old 08-15-2008
amsct amsct is offline
Registered User
  
 

Join Date: Aug 2008
Location: Amsterdam, The Netherlands
Posts: 33
I would switch on the logging and check your log to see what happens.
If you are connecting from the internet through your dsl modem, I would use tcpdump (tcpdump -vvv -n -i rl0 port 80) while you try to connect and see if you packets arrive to the firewall. If it doesn't, it is likely your dsl modem is not correctly configured. usually you will need to configure nat/pat to forward port 80 to your firewall external interface. Besides, if you dsl modem includes a firewall, you will also need to open port 80 from any.
  #3 (permalink)  
Old 10-16-2008
Luka Luka is offline
Registered User
  
 

Join Date: Oct 2008
Posts: 36
You could add pass keyword to three rules and see if it works
Code:
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> <server ip> port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> <server ip> port 25
rdr on $ext_if proto tcp from any to ($ext_if) port 53 -> <server ip> port 53
Closed Thread

Bookmarks

« Does any hunk knows how to block ultrasurf in squid proxy red hat version 4 | ssh X-forwarding and remote forwarding behind proxy »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Hybrid Mode Hybrid Mode
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -4. The time now is 02:34 PM.

The UNIX and Linux Forums - Learn UNIX and UNIX Commands RSS Feeds - Contact Us - The UNIX and Linux Forums - Learn UNIX and UNIX Commands - Archive - Top

Powered by: vBulletin, Copyright ©2000 - 2006, Jelsoft Enterprises Limited. Language Translations Powered by .
vBCredits v1.4 Copyright ©2007 - 2008, PixelFX Studios
The UNIX and Linux Forums Content Copyright ©1993-2009. All Rights Reserved.Ad Management by RedTyger

Content Relevant URLs by vBSEO 3.2.0