Pf: is there a misunderstanding about how nat and rdr work?

M

mrpsycho2013-07-22 15:08:12

FreeBSD

mrpsycho, 2013-07-22 15:08:12

hello,
I'm trying to learn pf under freebsd 9.1
and ran into a simple problem: I can't set up a port redirect.
here is my /etc/pf.conf:
### interfaces
int = "ale0"
ext = "vr0"
localnet = $int:network
### servers
mail = "192.168.1.251"
mail_smtp = "192.168.1.250"
### services
mail_services = "{ loc-srv, smtps, submission, imap, imaps }"
icmp_types = "{ echoreq, unreach }"
#nat
nat on $ext from $localnet to any -> ($ext)
rdr pass on $ext proto tcp from any to any port smtp -> $mail_smtp
no rdr
########### filtering
block all
pass inet from { lo0, $localnet } to any keep state
pass in inet proto tcp to port { 10022, http, https }
pass inet proto icmp icmp-type $icmp_types
pass out on $ext inet proto udp to port 33433 >< 33626
Now, if you try to connect to port 25, telnet gives this:
telnet: Unable to connect to remote host: No route to host
the local network itself is: 192.168.0.0/22 the
router has the address 192.168
.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

mrpsycho, 2013-09-05
@mrpsycho

By the way, it turns out that in the work of pf I understood everything correctly.
however, the tested machine was using the old default gateway. that's why the reverse traffic went through the old gateway.
when I specified a new gateway, everything immediately worked.

D

Denis, 2013-07-22
@uscr

telnet: Unable to connect to remote host: No route to host

Firewall has nothing to do with it. The host is not visible on the network. If the port is closed, it will be: telnet: Unable to connect to remote host: Connection refused.

S

Sonar, 2013-07-22
@Sonar

I'm not strong in pf, so do not kick much.
I'm confused by this construction:
nat on $ext from $localnet to any -> ($ext)
shouldn't ($int) be?