any BSD PF "experts" here?

Technomage technomage-hawke at cox.net
Sun Mar 5 21:28:17 MST 2006 

ok, I seem to be running into a small problem with my pf (openBSD) firewall.

seems I cannot get the auth port (113) to forward (even though I have followed 
the documentation and even had some help.

below is the relevant sections of PF I am concerned with:
#######################################################################
### Macros: define common values, so they can be referenced and
### changed easily.
ext_if="le0"    # replace with actual external interface name i.e., dc0
int_if="hme0"   # replace with actual internal interface name i.e., dc1

### Network macros

#hosts
internal_net="192.168.16.1/24"
skype_addr="192.168.16.4"
bittorrent_4_addr="192.168.16.4"
bittorrent_1_addr="192.168.16.17"
mechwarrior_addr="192.168.16.17"
identd_addr="192.168.16.4"
sshd_addr="192.168.16.4"

### System macros
nat_proto="{ tcp, udp, icmp, igmp }"

#######################################################################
### Normalization: reassemble fragments and resolve or reduce traffic
### ambiguities.
scrub in all
scrub out all

#######################################################################
### Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net 
will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal 
address.nat on $ext_if inet proto $nat_proto \
        from $internal_net to any -> ($ext_if)

# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.

rdr on $ext_if inet proto tcp from any to ($ext_if) port \
        39046 -> $skype_addr port 39046
rdr on $ext_if inet proto tcp from any to ($ext_if) port \
        36881:36889 -> $bittorrent_4_addr port 36881:*
rdr on $ext_if inet proto tcp from any to ($ext_if) port \
        6881:6889 -> $bittorrent_1_addr port 6881:*
rdr on $ext_if inet proto tcp from any to ($ext_if) port \
        2300:2350 -> $mechwarrior_addr port 2300:*
rdr on $ext_if inet proto udp from any to ($ext_if) port \
        2300:2350 -> $mechwarrior_addr port 2300:*
rdr on $ext_if inet proto tcp from any to ($ext_if) port \
        113 -> $identd_addr port 113
rdr on $ext_if inet proto tcp from any to ($ext_if) port \
        2222 -> $sshd_addr port 22

#######################################################################
## Filtering: the implicit first two rules are
# pass all local traffic, and block everything else.
pass quick on lo0 all
block in all
block out all

###
### [ext] pass in all allowed traffic

# DHCP assignments to Firewalled Host
pass in on $ext_if inet proto tcp \
        from any to $ext_if port { 68 }

# Skype to VoIP Host
pass in on $ext_if inet proto tcp \
        from any to $ext_if port { 39046 } keep state flags S/SA

# Bit Torrent space 4
pass in on $ext_if inet proto tcp \
        from any to $ext_if port { 36881, 36882, \
        36883, 36884, 36885, 36886, 36887, 36888, \
        36889 } keep state flags S/SA

# Bit Torrent space 1
pass in on $ext_if inet proto tcp \
        from any to $ext_if port { 6881, 6882, \
        6883, 6884, 6885, 6886, 6887, 6888, \
        6889 } keep state flags S/SA

#mechwarrior ports
pass in on $ext_if inet proto tcp \
        from any to $ext_if port { 2300 2301 2302 \
        2303 2304 2305 2306 2307 2308 2309 2310 2311 \
        2312 2312 2313 2314 2315 2316 2317 2318 2319 \
        2320 2321 2322 2323 2324 2325 2326 2327 2328 \
        2329 2330 2331 2332 2333 2334 2335 2336 2337 \
        2338 2339 2340 2341 2342 2343 2344 2345 2346 \
        2347 2348 2349 2350 } keep state flags S/SA

pass in on $ext_if inet proto udp \
        from any to $ext_if port { 2300 2301 2302 \
        2303 2304 2305 2306 2307 2308 2309 2310 2311 \
        2312 2312 2313 2314 2315 2316 2317 2318 2319 \
        2320 2321 2322 2323 2324 2325 2326 2327 2328 \
        2329 2330 2331 2332 2333 2334 2335 2336 2337 \
        2338 2339 2340 2341 2342 2343 2344 2345 2346 \
        2347 2348 2349 2350 }

# Identd Auth (for irc)
pass in on $ext_if inet proto tcp \
        from any to $ext_if port { 113 } keep state flags S/SA

# sshd high port
pass in on $ext_if inet proto tcp \
        from any to $ext_if port { 2222 } keep state flags S/SA


### [ext] pass out all previously nat'd protocols
pass out on $ext_if inet proto $nat_proto \
        all keep state

###
### [int] pass in/out all internal traffic to the outside/inside & keep state
pass in on $int_if inet proto $nat_proto \
        all keep state
pass out on $int_if inet proto $nat_proto \
        all keep state

####################

now, so far, all attempts to have this work (especially for ssh and auth) seem 
to fail. the traffic gets to the port on the firewall and then goes no where 
after that.

HELP!

More information about the PLUG-discuss mailing list