0

I'm trying to configure pf port forwarding on OpenBSD 5.0

The firewall machine has two nics:

em0: 192.168.200.3 vic0: 192.65.214.136

I would like to forward all packets comming into 192.168.200.3:104 to 192.65.214.131:104. Also I need to still have access to port 22, for ssh.

So far, the rules I've setup are as this:

set skip on lo

pass in log on em0 proto tcp from any to any port 104 rdr-to 192.65.214.131

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

By reading the log using tcpdump -n -e -ttt -r /var/log/pflog, I see thar rule 0 is matched, but the calling application does not receives the acknowledge it is expecting.

What I'm doing wrong?.

BTW. I can ping and telnet to 192.65.214.131.

Edit: Here's the new /etc/pf.conf, now it works. Thanks Falcon.

set skip on lo

pass in log on em0 proto tcp from any to any port 104 rdr-to 192.65.214.131
pass out on vic0 from em0:network to any nat-to vic0    
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

Edit: Mm, the nat-to rule only works when packets are sent from 192.168.200.x, but some packets are sent from 192.168.7.xxx, how can I allow those too?.

Thanks in advance, Leonardo.

Leonardo Ramé
  • 333
  • 3
  • 12

1 Answers1

1

Make sure that the client interfaces are able to ping 192.65.214.131 as well as the server running pf, and that 192.65.214.131 is able to ping the client machines (or if ping is disabled for some reason, just make sure they have a route that works). One really common issue with these setups is that the packet can get to the host with the NAT's help, but if the NAT has only changed the destination address and not the source, or if it is intended only to redirect but the routing table doesn't show the way back, the packets can go only one way and you have an asymmetric routing failure.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
  • Yes, I can ping from 192.65.214.136 to 131 and from 131 to 136 without problems. From 131 I cant ping 192.168.200.3, because they're on different networks, that's why I placed OpenBsd in the middle, with two nics. – Leonardo Ramé May 01 '12 at 23:38
  • 1
    I trust you have NAT rules set up similar to the way it is in this documentation: http://www.openbsd.org/faq/pf/nat.html#config ? – Falcon Momot May 01 '12 at 23:56
  • Thanks Falcon!, I just had to add this rule: "pass out on vic0 from em0:network to any nat-to vic0" and everything started to work as expected. Thank you. – Leonardo Ramé May 02 '12 at 00:20
  • Mm, the nat-to rule only works when packets are sent from 192.168.200.x, but some packets are sent from 192.168.7.xxx, how can I allow those too?. – Leonardo Ramé May 02 '12 at 18:20
  • You'd need the firewall+NAT box to have a (possibly virtual) interface on that LAN as well, I suspect, or at least a route to that subnet. Then, you have to repeat the previous steps for each additional interface. – Falcon Momot May 02 '12 at 18:46