rdr only works for some ports

Steven Schoch schoch at spamcop.net
Fri Aug 19 17:40:23 GMT 2005 

I'm having trouble getting rdr to work.  Here's the configuration:

The host on which pf is running has it's own services, particularly HTTP 
and SSH, so I set up a pool of other (external) addresses to use for NAT 
use.  Thus, I have my aliases set up in /etc/rc.conf:

ifconfig_fxp0="inet x.y.z.5  netmask 255.255.255.0"
ifconfig_fxp1="inet 192.168.1.5  netmask 255.255.255.0"
ifconfig_fxp0_alias0="x.y.z.20 netmask 0xffffffff"
ifconfig_fxp0_alias1="x.y.z.21 netmask 0xffffffff"
ifconfig_fxp0_alias2="x.y.z.22 netmask 0xffffffff"
ifconfig_fxp0_alias3="x.y.z.23 netmask 0xffffffff"
ifconfig_fxp0_alias4="x.y.z.24 netmask 0xffffffff"

# And my pf.conf file is set up like this:

ext_if="fxp0"
external_addr="x.y.z.5"
# These are my external NAT addresses
nat1="x.y.z.21"
nat2="x.y.z.22"
nat3="x.y.z.23"
nat4="x.y.z.24"
int_if="fxp1"
internal_net="192.168.1.0/24"
table <nat_pool> { $nat1, $nat2, $nat3, $nat4 }


# I then have NAT set like this:

nat on $ext_if inet from $internal_net to any -> <nat_pool>

# Next, I want SSH and TAPI to go to particular machines on the internal 
net:

rdr on $ext_if proto tcp from any to $nat1/32 port 22 -> 192.168.1.101
rdr on $ext_if proto tcp from any to $nat1/32 port 5000 -> 192.168.1.7

# And some of my internal users connect to X11 clients, so I map some 
X11 ports:

rdr on $ext_if proto tcp from any to <nat_pool> port 6104 -> 192.168.1.104
rdr on $ext_if proto tcp from any to <nat_pool> port 6105 -> 192.168.1.105
rdr on $ext_if proto tcp from any to <nat_pool> port 6106 -> 192.168.1.106


Except for the "x.y.z", everything is exactly taken from the files.

The problem:  connecting to the X11 ports work (DISPLAY=nat1.domain:104 
works from an external Internet address), but ssh to nat1 times out.  
Yes, I know 192.168.1.101 is running a valid SSH server on port 22, 
since I also have a Netgear NAT router pointing to it that works just 
fine.  The same for the system listening on port 5000.

Yes, I tried substituting <nat_pool> for $nat1/32 and visa versa an a 
test, but the end result is the same:  Port 6104 works, but ports 22 and 
5000 do not.

Is there anything obvious I'm doing wrong?  Is this a FAQ?

-- 
Steve

More information about the freebsd-pf mailing list