I am setting up an OpenBSD 3.8 machine to use as a firewall and to provide NAT. I also need it to forward port 80 to an internal machine on my LAN. The NAT works fine, but I can't seem to get it to forward the traffic to my Webserver. I can access this server via the LAN from its internal IP, and port 80 shows up as open on the external interface when I scan myself at grc.com. However I cannot access the Web server from a machine outside my network. I ran tcpdump on both interfaces on the OpenBSD box, and found that the Web requests were in fact coming in on the external interface, but were not getting forwarded to the server. Here is my pf.conf:
# macros
int_if = "rl0"
ext_if = "dc0"
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
webserver = "192.168.2.1"
# options
set block-policy drop
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> $webserver port 80
# filter rules
block all
pass quick on lo0 all
block drop in on $ext_if from $priv_nets to any
block drop out on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if proto tcp from any to $webserver port 80 \
flags S/SA synproxy state
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
user proxy flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
I tried changing the pass line for the webserver from synproxy state to keep state, but this resulted in port 80 not showing up as open at all.
Anyone have any ideas?
# macros
int_if = "rl0"
ext_if = "dc0"
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
webserver = "192.168.2.1"
# options
set block-policy drop
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> $webserver port 80
# filter rules
block all
pass quick on lo0 all
block drop in on $ext_if from $priv_nets to any
block drop out on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if proto tcp from any to $webserver port 80 \
flags S/SA synproxy state
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
user proxy flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
I tried changing the pass line for the webserver from synproxy state to keep state, but this resulted in port 80 not showing up as open at all.
Anyone have any ideas?