# port redirecting with PF fail



## SIFE (Sep 29, 2010)

I am trying to redirect packets from external ip (x.x.x.x) to internal ip (192.168.1.2). I watch packets how are pass and I see port unreachable.

If I make 192.168.1.2:8080 work fine but I change it to x.x.x.x:8080 does not work.


```
11:47:18.837301 IP localhost.61777 > x.x.x.x.8080: Flags [S], seq 3896576648, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 2647558 ecr 0], length 0
11:47:18.837716 IP x.x.x.x.8080 > localhost.61777: Flags [FR.], seq 0, ack 3896576649, win 0, length 0
11:47:18.839703 IP x.x.x.x > localhost: ICMP x.x.x.x tcp [B]port 8080 unreachable[/B], length 36
```
my pf.conf:

```
#***************************************************** 	var's
ext_if = "re0"
int_ip = "{192.168.1.0/24 ,127.0.0.1}"
tcp_services = "{http ,https ,ssh ,domain ,8080}"
udp_services = "{23399 ,domain}"
int_services = "{3306 ,8080}"
p2p_tcp = "{4662 ,4672}"
p2p_udp = "{4665}"

#***************************************************** options
set block-policy drop
set loginterface re0
set skip on lo0

#*****************************************************   NAT
# aMule TCP and UDP
#rdr pass on egress proto tcp to port 4662 -> 192.168.1.2
#rdr pass on egress proto udp to port 4672 -> 192.168.1.2
#rdr pass on egress proto udp to port 4665 -> 192.168.1.2

# allow access from outside to web server,mysql
[B]rdr pass on $ext_if proto tcp from any to any port $int_services -> 192.168.1.2[/B]

# nat for vpn client
nat on $ext_if from 192.168.1.0/24 to any -> $ext_if

#*****************************************************  Rules
# block in&out traffic
block drop in log(all) on $ext_if all
block drop out log(all ,user) on $ext_if all

#pass in on $ext_if proto tcp from any to any port 8080 rdr-to 192.168.1.2

# pass in tcp&udp traffic for some ports
pass in on $ext_if inet proto tcp from any port $tcp_services \
					to any keep state
pass in on $ext_if inet proto udp from any port $udp_services \
					to any keep state
[B]pass in on $ext_if inet proto tcp from any \
                                        to any port $int_services keep state[/B]
pass in on $ext_if inet proto {tcp ,udp} from $int_ip port $int_services \
					to $int_ip port $int_services keep state

# pass out tcp&udp traffic for some ports
pass out on $ext_if inet proto tcp from any to any port \
					$tcp_services modulate state
pass out on $ext_if inet proto udp from any to any port \
					$udp_services modulate state

# pass in and out p2p traffic
pass in on $ext_if inet proto tcp from any port $p2p_tcp \
					to any no state
pass in on $ext_if inet proto udp from any port $p2p_udp \
                                        to any no state
#pass out on $ext_if inet proto tcp from any port $p2p_tcp \
#					to any keep state
#pass out on $ext_if inet proto udp from any to any port \
#					$p2p_udp modulate state

# block nmap scan
#*********** XMASS SCAN **************#
#block drop in log(all) on $ext_if inet proto tcp from any \	
#					flags FUP/ to any 
#block drop in log(all) on $ext_if inet proto tcp flags FUP/RA
#block drop in log(all) on $ext_if inet proto tcp flags FUP/
```
After I made some changes to sysctl :

```
kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 1
```
I get this from wireshark:

```
12:05:32.698393 IP 0.0.0.0.52177 > x.x.x.x.8080: Flags [S], seq 2115572525, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 3740233 ecr 0], length 0
12:05:35.700690 IP 0.0.0.0.52177 > x.x.x.x.8080: Flags [S], seq 2115572525, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 3743233 ecr 0], length 0
12:05:38.904153 IP 0.0.0.0.52177 > x.x.x.x.8080: Flags [S], seq 2115572525, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 3746433 ecr 0], length 0
12:05:39.440841 IP localhost.56766 > 66.249.92.104.http: Flags [F.], seq 980015912, ack 2092775662, win 8207, options [nop,nop,TS val 3746969 ecr 3071078567], length 0
12:05:39.586692 IP 66.249.92.104.http > localhost.56766: Flags [F.], seq 1, ack 1, win 227, options [nop,nop,TS val 3071196365 ecr 3746969], length 0
12:05:39.586777 IP localhost.56766 > 66.249.92.104.http: Flags [.], ack 2, win 8207, options [nop,nop,TS val 3747114 ecr 3071196365], length 0
12:05:42.107625 IP 0.0.0.0.52177 > x.x.x.x.8080: Flags [S], seq 2115572525, win 65535, options [mss 1460,sackOK,eol], length 0
12:05:45.311094 IP 0.0.0.0.52177 > x.x.x.x.8080: Flags [S], seq 2115572525, win 65535, options [mss 1460,sackOK,eol], length 0
12:05:48.514567 IP 0.0.0.0.52177 > x.x.x.x.8080: Flags [S], seq 2115572525, win 65535, options [mss 1460,sackOK,eol], length 0
12:05:54.721291 IP 0.0.0.0.52177 > x.x.x.x.8080: Flags [S], seq 2115572525, win 65535, options [mss 1460,sackOK,eol], length 0
12:05:59.867910 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from xx:xx:xx:xx:xx:xx (oui Unknown), length 300
12:06:06.876493 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from xx:xx:xx:xx:xx:xx (oui Unknown), length 300
12:06:06.934529 IP 0.0.0.0.52177 > x.x.x.x.8080: Flags [S], seq 2115572525, win 65535, options [mss 1460,sackOK,eol], length 0
12:06:14.886172 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from xx:xx:xx:xx:xx:xx (oui Unknown), length 300
12:06:27.901281 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from xx:xx:xx:xx:xx:xx (oui Unknown), length 300
12:06:31.160780 IP 0.0.0.0.52177 > x.x.x.x.8080: Flags [S], seq 2115572525, win 65535, options [mss 1460,sackOK,eol], length 0
12:06:47.925007 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from xx:xx:xx:xx:xx:xx (oui Unknown), length 300
12:06:49.798299 IP localhost.56725 > 192.168.1.1.domain: 16881+ A? www.stopbadware.org. (37)
12:06:49.961038 ARP, Request who-has localhost tell 192.168.1.1, length 46
12:06:49.961057 ARP, Reply localhost is-at xx:xx:xx:xx:xx:xx (oui Unknown), length 28
12:06:49.961061 IP 192.168.1.1.domain > localhost.56725: 16881 2/5/10 CNAME stopbadware.org., A 128.103.64.79 (386)
12:07:19.027050 IP 192.168.1.1 > ALL-SYSTEMS.MCAST.NET: igmp query v2
```
Now I don't see port unreachable but I still can't reach my web server.


----------



## triumdh (Sep 29, 2010)

You have

```
rdr pass on $ext_if proto tcp from any to any port $int_services -> 192.168.1.2
```

Try

```
rdr on $ext_if proto tcp from any to $ext_if port $int_services -> 192.168.1.2
```

I also use one line per port redirection but I am not sure if that matters.


----------



## wblock@ (Sep 29, 2010)

I believe when you rdr inward into your NAT network, you also need a nat rule for it on the way back out.  At least that's how I finally got it to work for a similar use.  I'd give examples, but it's possible or even likely that mine are absolutely the wrong way to do it.  (Firewalls for me are like house painting: by the time I get really good at it, the job is done and I won't do it again for years.)

It'd be nice to find some clear, simple example pf rules.  I've found several, but they seem to all do the same thing different ways.


----------



## SIFE (Sep 30, 2010)

i update my pf.conf to this :

```
ext_if = "re0"
int_ip = "{192.168.1.0/24 ,127.0.0.1}"
tcp_services = "{80 ,443 ,22 ,53}"
udp_services = "{23399 ,53}"
int_services = "{3306 ,8080}"
p2p_tcp = "{4662 ,4672}"
p2p_udp = "{4665}"
set block-policy drop
set loginterface re0
set skip on lo0
rdr on $ext_if proto tcp from any to any port 8080 -> 192.168.1.2
block drop in log(all) on $ext_if all
pass in on $ext_if inet proto tcp from any to 192.168.1.2 port 8021 
pass in on $ext_if inet proto tcp from any port $tcp_services \
					to any keep state
pass in on $ext_if inet proto udp from any port $udp_services \
					to any keep state
pass in on $ext_if inet proto tcp from any \
                                        to $ext_if port 8080 keep state
pass in on $ext_if inet proto tcp from any \
					port 8080 to any keep state
					to $int_ip port $int_services keep state
pass in on $ext_if proto igmp all allow-opts
pass out on $ext_if inet proto tcp from any to any port \
					$tcp_services modulate state
pass out on $ext_if inet proto udp from any to any port \
					$udp_services modulate state
pass in on $ext_if inet proto tcp from any port $p2p_tcp \
					to any no state
pass in on $ext_if inet proto udp from any port $p2p_udp \
                                        to any no state
```
tcpdump output :

```
11:00:05.677107 IP x.x.x.x.8080 > localhost.55518: Flags [FR.], seq 0, ack 3586364393, win 0, length 0
11:00:05.679074 IP x.x.x.x > localhost: ICMP x.x.x.x tcp port 8080 unreachable, length 36
11:00:08.680681 IP x.x.x.x.8080 > localhost.55518: Flags [FR.], seq 0, ack 1, win 0, length 0
11:00:08.680695 IP x.x.x.x > localhost: ICMP x.x.x.x tcp port 8080 unreachable, length 36
11:00:11.884252 IP x.x.x.x.8080 > localhost.55518: Flags [FR.], seq 0, ack 1, win 0, length 0
11:00:11.884267 IP x.x.x.x > localhost: ICMP x.x.x.x tcp port 8080 unreachable, length 36
```


----------



## triumdh (Sep 30, 2010)

You seem to be redirecting from any to any

```
rdr on $ext_if proto tcp from any to any port 8080 -> 192.168.1.2
```

as appossed to from any to external interface

```
rdr on $ext_if proto tcp from any to [B]$ext_if[/B] port 8080 -> 192.168.1.2
```

As for nating you will only need to do that if you want internal IP addresses to reach internal servers.


----------



## wblock@ (Sep 30, 2010)

triumdh said:
			
		

> You seem to be redirecting from any to any
> 
> ```
> rdr on $ext_if proto tcp from any to any port 8080 -> 192.168.1.2
> ...



Doh!  That's right, I have two sets of rules.  A rdr on $ext_if to the internal server, and a nat and rdr on the $int_if.


----------



## SIFE (Sep 30, 2010)

I still can't reach it.


----------



## triumdh (Sep 30, 2010)

SIFE,

tcpdump on internal and external interfaces will give more information.


```
tcpdump -i [I]ext_if[/I] port 8080
tcpdump -i [I]int_if[/I] port 8080
```


----------



## SIFE (Oct 1, 2010)

```
11:00:05.677107 IP x.x.x.x.8080 > localhost.55518: Flags [FR.], seq 0, ack 3586364393, win 0, length 0
11:00:05.679074 IP x.x.x.x > localhost: ICMP x.x.x.x tcp port 8080 unreachable, length 36
11:00:08.680681 IP x.x.x.x.8080 > localhost.55518: Flags [FR.], seq 0, ack 1, win 0, length 0
11:00:08.680695 IP x.x.x.x > localhost: ICMP x.x.x.x tcp port 8080 unreachable, length 36
11:00:11.884252 IP x.x.x.x.8080 > localhost.55518: Flags [FR.], seq 0, ack 1, win 0, length 0
11:00:11.884267 IP x.x.x.x > localhost: ICMP x.x.x.x tcp port 8080 unreachable, length 36
```
I have only one interface.


----------



## triumdh (Oct 1, 2010)

Please show rc.conf


----------



## tommyj27 (Oct 1, 2010)

re: wblock - a corresponding NAT rule is not required for return traffic. pf (by default) will keep state and do the right thing with return traffic.

re: SIFE - It seems to me that we may not understand your network topology. I think most people here assume a traditional firewall configuration.

INTERNET-----|ext_if|FIREWALL|int_if|-----|SERVER|

If your configuration is different, perhaps you could explain it to us.


----------



## SIFE (Oct 3, 2010)

```
|INTERNET|--------|router|--------|PC with PF and WWW|
```

i I have no lan, i I also update my pf.conf like this:


```
ext_if = "re0"
int_ip = "{192.168.1.0/24 ,127.0.0.1}"
tcp_services = "{80 ,443 ,22 ,53}"
ext_ip = "{x.x.x.x}"
udp_services = "{23399 ,53}"
int_services = "{3306 ,8080}"
p2p_tcp = "{4662 ,4672}"
p2p_udp = "{4665}"

set block-policy drop
set loginterface re0
set skip on lo0
scrub out on $ext_if random-id

[B]nat on $ext_if inet proto tcp from $int_ip port 8080 to any -> $ext_ip port 8080
rdr pass on $ext_if inet proto tcp \
	from any to $ext_ip port 8080 -> 192.168.1.2 port 8080[/B]

block drop in log(all) on $ext_if all
block drop out log(all ,user) on $ext_if all

pass in on $ext_if inet proto tcp from any to 192.168.1.2 port 8021 
pass in on $ext_if inet proto tcp from any port $tcp_services \
					to any keep state
pass in on $ext_if inet proto udp from any port $udp_services \
					to any keep state
pass in on $ext_if inet proto {tcp ,udp} from $int_ip port $int_services \
					to $int_ip port $int_services keep state
pass in on $ext_if proto igmp all allow-opts

pass out on $ext_if inet proto tcp from any to any port \
					$tcp_services modulate state
pass out on $ext_if inet proto udp from any to any port \
					$udp_services modulate state
pass in on $ext_if inet proto tcp from any port $p2p_tcp \
					to any no state
pass in on $ext_if inet proto udp from any port $p2p_udp \
                                        to any no state
pass out on $ext_if inet proto tcp from any to any modulate state
```


----------



## da1 (Oct 3, 2010)

try Try splitting:
	
	



```
rdr pass on $ext_if inet proto tcp from any to $ext_ip port 8080 -> 192.168.1.2 port 8080
```
into: 
	
	



```
rdr on $ext_if inet proto tcp from any to $ext_ip port 8080 -> 192.168.1.2 port 8080
pass in on $ext_int from any to 192.168.1.2 port 8080
```

the The latter is the only way it works for me. I spent 2 days hitting my head against the wall but couldn't find the reason why it behaves like that.


----------



## triumdh (Oct 3, 2010)

SIFE, you started the post "I am trying to redirect packets from external ip (x.x.x.x) to internal ip (192.168.1.2)"

Then your diagram shows.


```
|INTERNET|--------|router|--------|PC with PF and WWW|
```

You would need to set up redirection on the router.
The PC shouldn't need redirection as it is the web server.

Or am I missing something?


----------



## SIFE (Oct 3, 2010)

> You would need to set up redirection on the router.


I try it before but it doesn't work[ ].
I have modem/router called HUAWEI SmartAX AT880[ ].


----------



## triumdh (Oct 4, 2010)

SIFE, remove the redirectors from the pf.conf on the PC and allow traffic to port 8080.
Then you will need a manual or different forum for the router.


----------



## SIFE (Oct 5, 2010)

Mr triumdh I did't it but no thing work, I also try hardware port forward but also doesn't work.


----------



## quintessence (Oct 6, 2010)

Hello, 

http://forums.freebsd.org/showthread.php?t=17746


----------



## SirDice (Oct 6, 2010)

You cannot "bounce" traffic out the same interface with rdr.

From pf.conf(5):


> Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself.


----------



## SIFE (Oct 8, 2010)

> Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself.


Which means redirection work only in LAN, too bad.
I also tried before net/rinetd but it can't bind My external IP.


----------



## mecano (Oct 18, 2010)

Put your web server (I assume it is one, port 8080) in a jail (ezjail is nice to start with).
You'll then be able to rdr from external interface to virtual local interface.

INTERNET -- ROUTER  -- FIREWALL/SERVER IN JAIL


----------



## SIFE (Oct 21, 2010)

In the end I found my ISP block all ports except some.


----------

