# PF + SQUID FreeBSD (rdr)



## pashos (Sep 21, 2010)

so i want to redirect my server 
1. FreeBSD (pf+squid) gateway
2. Server (win_server) 

I want to connect to my win_server from www with rdp protol, I've create this rule on my pf 


```
rdr on $ext_if proto tcp from any to $ext_if port rdp -> $server
rdr on $ext_if proto {tcp, udp} from any to $ext_if port 3389 -> $server port 3389

pass in on $ext_if proto {tcp, udp} from any to $ext_if port 3389
pass out on $int_if proto {tcp, udp} from any to $server port 3389
```

but no connection


----------



## kisscool-fr (Sep 21, 2010)

Try something like this


```
pass in on $ext_if proto {tcp, udp} from any to [color="Red"]$server[/color] port 3389
pass out on $int_if proto {tcp, udp} from any to $server port 3389
```


----------



## pashos (Sep 22, 2010)

```
#===RDR_RDP_Radmin===
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $server port 338
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $server port 489

#====RDR_RDP_Radmin===
pass in on $ext_if proto {tcp, udp} from any to $server port 3389
pass out quick on $int_if inet proto {tcp, udp} from any to $server port 3389
pass in on $ext_if proto {tcp, udp} from any to $server port 4899
pass out quick on $int_if inet proto {tcp, udp} from any to $server port 4899
```


no connection


----------



## pashos (Sep 22, 2010)

```
#===RDR===
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $dns_srv port 3389
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $dns_srv port 4899

block in
block in quick from <bad_host>
antispoof quick for { lo0 $int_if } inet

#====RDR Allow===
pass in on $ext_if proto {tcp, udp} from any to $dns_srv port 3389
pass out quick on $int_if inet proto {tcp, udp} from any to $dns_srv port 3389
pass in on $ext_if proto {tcp, udp} from any to $dns_srv port 4899
pass out quick on $int_if inet proto {tcp, udp} from any to $dns_srv port 4899
```


----------



## pashos (Sep 22, 2010)

pashos said:
			
		

> ```
> #===RDR===
> rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $server port 3389
> rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $server port 4899
> ...



no connection


----------



## kisscool-fr (Sep 22, 2010)

An entire pf.conf will help us to help you !!!

try this




			
				pashos said:
			
		

> ```
> #===RDR===
> rdr [color="Red"]pass[/color] on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $dns_srv port 3389
> rdr [color="#ff0000"]pass[/color] on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $dns_srv port 4899
> ...


----------



## pashos (Sep 22, 2010)

```
ext_if="re0"
int_if="vr0"
lan_net="192.168.1.0/24"
dns_srv="192.168.1.2"
#nat_ports="{5190, 21, 443, 563, 110}"
mail_users="{192.168.1.17, 192.168.1.24, 192.168.1.4, 192.168.1.5}"
mail_ports="{pop3, smtp, imap, pop3s, imaps}"
mail_srv="1.1.1.1"

table  <swat>    {192.168.1.0/24}
table  <bad_host> persist

set skip on { lo0 }
set block-policy return
set loginterface $ext_if
set optimization normal

scrub in

#====NAT====
nat on $ext_if inet from $mail_users to $mail_srv port $mail_ports -> ($ext_if:0)
nat on $ext_if inet from $int_if:network to any port {5190, 21, 110, 443, 25, 443, 563, 11} ->
nat on $ext_if proto {tcp, udp} from $dns_srv to any port 53 -> ($ext_if:0)
nat-anchor "ftp-proxy/*"

rdr-anchor "ftp-proxy/*"
rdr on $int_if inet proto tcp from $int_if:network to ! <swat> port www -> 127.0.0.1 port 8080
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#===RDR===
rdr pass on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $dns_srv port 3389
rdr pass on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $dns_srv port 4899

#block in
#block in quick from <bad_host>
antispoof quick for { lo0 $int_if } inet

#====RDR Allow===
#pass in on $ext_if proto {tcp, udp} from any to $ext_if port 3389
#pass out quick on $int_if inet proto {tcp, udp} from any to $ext_if port 3389
#pass in on $ext_if proto {tcp, udp} from any to $dns_srv port 4899
#pass out quick on $int_if inet proto {tcp, udp} from any to $dns_srv port 4899
#=====SSH=====
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 49151 keep state
pass in on $ext_if proto {tcp, udp} from any to self port 1723
pass in on $ext_if proto tcp from any to any port ssh \
     flags S/SA keep state \
```

no results -> no connection


----------



## kisscool-fr (Sep 22, 2010)

Do you have any error if you check your rules with `pfctl -vnf /etc/pf.conf`
?

Don't have enough time to check your pf.conf but you should start with something simpler to see if it works and adjust your rules next


```
ext_if="re0"
int_if="vr0"
lan_net="192.168.1.0/24"
dns_srv="192.168.1.2"
#nat_ports="{5190, 21, 443, 563, 110}"
mail_users="{192.168.1.17, 192.168.1.24, 192.168.1.4, 192.168.1.5}"
mail_ports="{pop3, smtp, imap, pop3s, imaps}"
mail_srv="1.1.1.1"

table  <swat>    {192.168.1.0/24}
table  <bad_host> persist

set skip on { lo0 }
set block-policy return
set loginterface $ext_if
set optimization normal

scrub in


nat on $ext_if from ! $ext_if -> $ext_if

rdr pass on $ext_if inet proto {tcp, udp} from any to $ext_if port 3389 -> $dns_srv port 3389
rdr pass on $ext_if inet proto {tcp, udp} from any to $ext_if port 4899 -> $dns_srv port 4899

block in on $ext_if
```


----------



## Jaax (Sep 22, 2010)

Hi,

Did you try to capture packets with tcpdump when you launch the connection ?
[cmd=]$ tcpdump -i pflog0 -nn -n -s0 -e port 3389 or port 4899[/cmd]

If you don't have the interface pflog0 :
[cmd=]$ kldload pflog[/cmd]

and verify with ifconfig.


----------



## pashos (Sep 23, 2010)

hi i've cheked with `pfctl -vnf /etc/pf.conf` no errors


----------



## pashos (Sep 23, 2010)

[cmd=]pfctl -vnf /etc/pf.conf[/cmd] 
no errors 


```
freebsd# tcpdump -i pflog0 -nn -n -s0 -e port 3389 or port 4899
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes

freebsd# kldload pflog
kldload: can't load pflog: File exists
freebsd#
```


----------

