Try replacing rdr on $ext_if inet proto tcp from any to ($ext_if) port \ 113 -> $identd_addr port 113 with rdr on $ext_if inet proto tcp from any to any port \ 113 -> $identd_addr Technomage wrote: >ok, I seem to be running into a small problem with my pf (openBSD) firewall. > >seems I cannot get the auth port (113) to forward (even though I have followed >the documentation and even had some help. > >below is the relevant sections of PF I am concerned with: >####################################################################### >### Macros: define common values, so they can be referenced and >### changed easily. >ext_if="le0" # replace with actual external interface name i.e., dc0 >int_if="hme0" # replace with actual internal interface name i.e., dc1 > >### Network macros > >#hosts >internal_net="192.168.16.1/24" >skype_addr="192.168.16.4" >bittorrent_4_addr="192.168.16.4" >bittorrent_1_addr="192.168.16.17" >mechwarrior_addr="192.168.16.17" >identd_addr="192.168.16.4" >sshd_addr="192.168.16.4" > >### System macros >nat_proto="{ tcp, udp, icmp, igmp }" > >####################################################################### >### Normalization: reassemble fragments and resolve or reduce traffic >### ambiguities. >scrub in all >scrub out all > >####################################################################### >### Translation: specify how addresses are to be mapped or redirected. ># nat: packets going out through $ext_if with source address $internal_net >will ># get translated as coming from the address of $ext_if, a state is created for ># such packets, and incoming packets will be redirected to the internal >address.nat on $ext_if inet proto $nat_proto \ > from $internal_net to any -> ($ext_if) > ># rdr: packets coming in on $ext_if with destination $external_addr:1234 will ># be redirected to 10.1.1.1:5678. A state is created for such packets, and ># outgoing packets will be translated as coming from the external address. > >rdr on $ext_if inet proto tcp from any to ($ext_if) port \ > 39046 -> $skype_addr port 39046 >rdr on $ext_if inet proto tcp from any to ($ext_if) port \ > 36881:36889 -> $bittorrent_4_addr port 36881:* >rdr on $ext_if inet proto tcp from any to ($ext_if) port \ > 6881:6889 -> $bittorrent_1_addr port 6881:* >rdr on $ext_if inet proto tcp from any to ($ext_if) port \ > 2300:2350 -> $mechwarrior_addr port 2300:* >rdr on $ext_if inet proto udp from any to ($ext_if) port \ > 2300:2350 -> $mechwarrior_addr port 2300:* >rdr on $ext_if inet proto tcp from any to ($ext_if) port \ > 113 -> $identd_addr port 113 >rdr on $ext_if inet proto tcp from any to ($ext_if) port \ > 2222 -> $sshd_addr port 22 > >####################################################################### >## Filtering: the implicit first two rules are ># pass all local traffic, and block everything else. >pass quick on lo0 all >block in all >block out all > >### >### [ext] pass in all allowed traffic > ># DHCP assignments to Firewalled Host >pass in on $ext_if inet proto tcp \ > from any to $ext_if port { 68 } > ># Skype to VoIP Host >pass in on $ext_if inet proto tcp \ > from any to $ext_if port { 39046 } keep state flags S/SA > ># Bit Torrent space 4 >pass in on $ext_if inet proto tcp \ > from any to $ext_if port { 36881, 36882, \ > 36883, 36884, 36885, 36886, 36887, 36888, \ > 36889 } keep state flags S/SA > ># Bit Torrent space 1 >pass in on $ext_if inet proto tcp \ > from any to $ext_if port { 6881, 6882, \ > 6883, 6884, 6885, 6886, 6887, 6888, \ > 6889 } keep state flags S/SA > >#mechwarrior ports >pass in on $ext_if inet proto tcp \ > from any to $ext_if port { 2300 2301 2302 \ > 2303 2304 2305 2306 2307 2308 2309 2310 2311 \ > 2312 2312 2313 2314 2315 2316 2317 2318 2319 \ > 2320 2321 2322 2323 2324 2325 2326 2327 2328 \ > 2329 2330 2331 2332 2333 2334 2335 2336 2337 \ > 2338 2339 2340 2341 2342 2343 2344 2345 2346 \ > 2347 2348 2349 2350 } keep state flags S/SA > >pass in on $ext_if inet proto udp \ > from any to $ext_if port { 2300 2301 2302 \ > 2303 2304 2305 2306 2307 2308 2309 2310 2311 \ > 2312 2312 2313 2314 2315 2316 2317 2318 2319 \ > 2320 2321 2322 2323 2324 2325 2326 2327 2328 \ > 2329 2330 2331 2332 2333 2334 2335 2336 2337 \ > 2338 2339 2340 2341 2342 2343 2344 2345 2346 \ > 2347 2348 2349 2350 } > ># Identd Auth (for irc) >pass in on $ext_if inet proto tcp \ > from any to $ext_if port { 113 } keep state flags S/SA > ># sshd high port >pass in on $ext_if inet proto tcp \ > from any to $ext_if port { 2222 } keep state flags S/SA > > >### [ext] pass out all previously nat'd protocols >pass out on $ext_if inet proto $nat_proto \ > all keep state > >### >### [int] pass in/out all internal traffic to the outside/inside & keep state >pass in on $int_if inet proto $nat_proto \ > all keep state >pass out on $int_if inet proto $nat_proto \ > all keep state > >#################### > >now, so far, all attempts to have this work (especially for ssh and auth) seem >to fail. the traffic gets to the port on the firewall and then goes no where >after that. > >HELP! > >--------------------------------------------------- >PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >To subscribe, unsubscribe, or to change you mail settings: >http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > -- Darrin Chandler | Phoenix BSD Users Group dwchandler@stilyagin.com | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ | --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss