Login or Register to Ask a Question and Join Our Community


Cybersecurity

PF wont open port despite rules...

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity PF wont open port despite rules...
# 1  
Old 06-24-2008
Question PF wont open port despite rules...
Hello,

I just dont get it. I have a PF firewall on my DSL connection with 3 internal network interfaces. On one of the internal networks (LNETTR) theres a web server and a smtp server.

However; despite redirections and filtering rules it doesn't work. The ports redirected does not open. If I scan myself all ports are still STEALTH and I cannot connect to them.
Web surf and any outgoing traffic I allow works perfectly.

Any help would be appreciated. My pf.conf below.
Thnx in advance.

/U

Quote:
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $


# 1. Macros
lo_if = "lo0"

ext_if = "rl0"

UNET_if = "vr0"
UNET_network = "10.20.0.32/27"

LNETTR_if = "rl1"
LNETTR_network = "10.20.0.64/27"

# PUBNET_if = "rl2"
# PUBNET_network "10.20.0.96/27"

internal_networks = "{ 10.20.0.32/27, 10.20.0.64/27 }"
reserved_networks = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

tcpservices = "{ 22, 21, 25, 80, 443, 1863, 5190 }"
udpservices = "{ 53 }"


# 2. Tables
# Tomt.

# 3. Options
set limit { states 50000, frags 50000 }
set block-policy drop
set optimization aggressive
# set loginterface $ext_if
set skip on $lo_if

# 4. Packet normalization
scrub in all

# 5. Queueing

# 6. Translation
nat on $ext_if from $internal_networks -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $UNET_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr pass on $LNETTR_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# rdr pass on $PUBNET_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> <server ip> port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> <server ip> port 25
rdr on $ext_if proto tcp from any to ($ext_if) port 53 -> <server ip> port 53



# 7. Filtering


block in all
block out all

block in quick on $ext_if from $reserved_networks to any
block out quick on $ext_if from any to $reserved_networks
block return in log quick on $UNET_if proto tcp from ! x.x.x.x to $UNET_if port 22

pass in on {$UNET_if, $LNETTR_if} proto tcp from $internal_networks to any port $tcpservices
pass in on {$UNET_if, $LNETTR_if} proto udp from $internal_networks to any port $udpservices

pass in on $ext_if proto tcp from any to ($ext_if) port 80 synproxy state
pass in on $ext_if proto tcp from any to ($ext_if) port 25

pass out on $LNETTR_if all
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state


anchor "ftp-proxy/*"
antispoof for { $ext_if, $UNET_if, $LNETTR_if }

#EOF
# 2  
Old 08-15-2008
I would switch on the logging and check your log to see what happens.
If you are connecting from the internet through your dsl modem, I would use tcpdump (tcpdump -vvv -n -i rl0 port 80) while you try to connect and see if you packets arrive to the firewall. If it doesn't, it is likely your dsl modem is not correctly configured. usually you will need to configure nat/pat to forward port 80 to your firewall external interface. Besides, if you dsl modem includes a firewall, you will also need to open port 80 from any.
# 3  
Old 10-16-2008
You could add pass keyword to three rules and see if it works
Code:
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> <server ip> port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> <server ip> port 25
rdr on $ext_if proto tcp from any to ($ext_if) port 53 -> <server ip> port 53

Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Script for port is open or not

I need a script on which if i will pass the port number and the host name as external parameter then it should respond me if the port is open or not thread moved (0 Replies)
Discussion started by: patitapaban
0 Replies

2. Solaris

Solaris 10: How to just open a port - nothing else

Hi there, I tried just open a port but I failed ;-( # telnet localhost 9876 That should work so I did ... # vi /etc/services myport 9876/tcp # my port # svcadm restart inetd -> New pid, see ps - ef | grep inet # netstat -an | grep 9876 No port 9876 is waiting ;( #... (4 Replies)
Discussion started by: System
4 Replies

3. HP-UX

How to open 443 port in HP-UX?

Hello Experts, I want to open the port 443 on my HP-UX system. can you please help ? Thanks in advance. (1 Reply)
Discussion started by: purushottamaher
1 Replies

4. IP Networking

Tcp ip port open but no such process (merged: Release A Port)

i want to kill a tcp connection by killing its pid with netstat -an i got the tcp ip connection on port 5914 but when i type ps -a or ps-e there is not such process running on port 5914 is it possible that because i do not log on with proper user account i can not see that process running? (30 Replies)
Discussion started by: alinamadchian
30 Replies

5. Shell Programming and Scripting

The script wont trigger it. Thief Catcher program (open source)

me and my team working on a project called Stealth Hunter, Summarize about our project: Stealth Hunter is a thief catcher, It will silently take a snapshot of user using a stolen notebook or pc with webcam and send the information via email. how it work is: The scripts will triggered by the... (0 Replies)
Discussion started by: Kiraichi
0 Replies

6. Solaris

Open port on Solaris 10

Hi All, I am installing Infosphere (ETL tool) on solaris 10. One of the requirement is to open multiple ports for different apps that will be installed. I ran netstat -n | grep 9080 (,etc) but that did not return anything. I have attached the requirement. Can anyone guide me about how to... (3 Replies)
Discussion started by: sumeet
3 Replies

7. Solaris

how to open a specific port

Hi All, Can anyone let me know that how to open a specific port in Solaris 10. I just wanted to know if there are some certain commands to open a port (like ftp, telnet). It would be also better if someone can tell me if there is another firewall service in Solaris 10 except ipfilter. ... (6 Replies)
Discussion started by: naw_deepak
6 Replies

8. IP Networking

Unknown open port: "6881/tcp open bittorrent-tracker" found with nmap

Hi. I ran nmap on my server, and I get the following: Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-19 16:33 EDT Interesting ports on -------- (-----): Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 6881/tcp open bittorrent-tracker The... (0 Replies)
Discussion started by: Rledley
0 Replies

9. AIX

How to open a port in AIX

Hi Guys, i am trying to open a port in AIX. but i am not able to get the command for this. AIX is not having the iptables file present. So please any body can tell me how to open a port in AIX... Thanks sanju (2 Replies)
Discussion started by: sanju_d1231
2 Replies

10. Linux

open port

How can I open a port on linux machine ??? (5 Replies)
Discussion started by: mm00123
5 Replies
Login or Register to Ask a Question