fRANz escreveu:
Hi.
I've some trouble with this configuration:
LAN -- fw (openbsd 4.4) -- adsl router
LAN: 192.168.100.0/24
fw int int: sis1
fw int ind: 192.168.100.2
fw ext int: sis0
fw ext ind: 10.0.0.2
router int ind: 10.0.0.1
I try to configure pf to redirect all web traffic from internal lan to
an internal squid server (192.168.100.8) but rdr doens't works.
Now clients works _without_ proxy; when I enable this rule:
rdr pass on $int_if inet proto tcp from any to port www ->
192.168.100.8 port 3128
no one can navigate.
If I manually config browser to use squid as proxy, everything goes
fine (so squid is active and functionally).
What's the trouble in this config?!
Regards,
-f
#pf.conf
############################
# macros ###################
############################
ext_if = "sis0"
int_if = "sis1"
out_tcp = "{25, 53, 80, 110, 443}"
out_udp = "{53}"
table <class1> { 192.168.100.1/32, 192.168.100.2/32, 192.168.100.4/32, 192.168.
100.5/32, 192.168.100.6/32, 192.168.100.7/32, 192.168.100.8/32, 192.168.100.250/
32 }
table <class2> { 192.168.100.50/32, 192.168.100.51/32, 192.168.100.52/32, 192.1
68.100.53/32 }
table <class3> { 192.168.100.3/32, 192.168.100.100/32, 192.168.100.230/32 }
############################
# options ##################
############################
set block-policy return
set skip on lo0
scrub in
############################
# nat ######################
############################
nat on $ext_if from !($ext_if) to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if inet proto tcp from any to port ftp -> 127.0.0.1 port 8021
#rdr pass on $int_if inet proto tcp from any to port www ->
192.168.100.8 port 3128
rdr on $int_if inet proto tcp from any to 192.168.100.251/32 port 8080
-> 10.0.0.1 port 80
############################
# filter ###################
############################
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
block in all
pass in on $int_if proto icmp all keep state
pass in on $int_if proto tcp from any to 192.168.100.8 port 3128 keep state
pass in on $int_if proto {tcp, udp} from <class1> to any keep state
pass in on $int_if proto {tcp, udp} from <class3> to any keep state
pass in on $int_if proto tcp from <class2> to any port $out_tcp keep state
pass in on $int_if proto udp from <class2> to any port $out_udp keep state
pass out keep state
Create a new entry on inetd.conf, much of the one in the pf faq:
127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w 20
192.168.100.8 3128
Restart inetd and then, instead of making a rdr rule redirecting the
traffic to the squid server, you redirect it to the port your inetd is
listening. The netcat then will create a connection to your squid server
and everything should work:
rdr pass on $int_if inet proto tcp from any to port www -> 127.0.0.1
port 5000
The reason why the rdr you're trying to do, doesn't work, is that, the
pf won't reflect the connection back to the interface it come. I recall
making this work on other firewalls, but on pf, it doesn't work. But,
using the inetd work just as the same.
My regards,
--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
