Hello,
I just dont get it. I have a PF firewall on my DSL connection with 3 internal network interfaces. On one of the internal networks (LNETTR) theres a web server and a smtp server.
However; despite redirections and filtering rules it doesn't work. The ports redirected does not open. If I scan myself all ports are still STEALTH and I cannot connect to them.
Web surf and any outgoing traffic I allow works perfectly.
Any help would be appreciated. My pf.conf below.
Thnx in advance.
/U
Quote:
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
# 1. Macros
lo_if = "lo0"
ext_if = "rl0"
UNET_if = "vr0"
UNET_network = "10.20.0.32/27"
LNETTR_if = "rl1"
LNETTR_network = "10.20.0.64/27"
# PUBNET_if = "rl2"
# PUBNET_network "10.20.0.96/27"
internal_networks = "{ 10.20.0.32/27, 10.20.0.64/27 }"
reserved_networks = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
tcpservices = "{ 22, 21, 25, 80, 443, 1863, 5190 }"
udpservices = "{ 53 }"
# 2. Tables
# Tomt.
# 3. Options
set limit { states 50000, frags 50000 }
set block-policy drop
set optimization aggressive
# set loginterface $ext_if
set skip on $lo_if
# 4. Packet normalization
scrub in all
# 5. Queueing
# 6. Translation
nat on $ext_if from $internal_networks -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $UNET_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr pass on $LNETTR_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# rdr pass on $PUBNET_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> <server ip> port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> <server ip> port 25
rdr on $ext_if proto tcp from any to ($ext_if) port 53 -> <server ip> port 53
# 7. Filtering
block in all
block out all
block in quick on $ext_if from $reserved_networks to any
block out quick on $ext_if from any to $reserved_networks
block return in log quick on $UNET_if proto tcp from ! x.x.x.x to $UNET_if port 22
pass in on {$UNET_if, $LNETTR_if} proto tcp from $internal_networks to any port $tcpservices
pass in on {$UNET_if, $LNETTR_if} proto udp from $internal_networks to any port $udpservices
pass in on $ext_if proto tcp from any to ($ext_if) port 80 synproxy state
pass in on $ext_if proto tcp from any to ($ext_if) port 25
pass out on $LNETTR_if all
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
anchor "ftp-proxy/*"
antispoof for { $ext_if, $UNET_if, $LNETTR_if }
#EOF