Pf: there is a misunderstanding of how nat and rdr?

hi,

trying to master the pf under freebsd 9.1

and faced with a simple problem: can't set up a redirect of ports.


here is my /etc/pf.conf:

### interfaces
int = "ale0"
ext = "vr0"
localnet = $int:network

### servers
mail = "192.168.1.251"
mail_smtp = "192.168.1.250"

### services
mail_services = "{ loc-srv, smtps, submission, imap, imaps }"
icmp_types = "{ echoreq, unreach }"

#nat
nat on $ext from $localnet to any -> ($ext)

rdr pass on $ext proto tcp from any to any port smtp -> $mail_smtp

no rdr

########### filtering
block all
pass inet from { lo0, $localnet } to any keep state
pass in inet proto tcp to port { 10022, http, https }

pass inet proto icmp icmp-type $icmp_types
pass out on $ext inet proto udp to port 33433 >< 33626



Now, if you try to connect to port 25, Telnet gives is:

telnet: Unable to connect to remote host: No route to host



itself a local network is: 192.168.0.0/22

the router has the address 192.168.0.47


I will appreciate any tips!
October 3rd 19 at 04:28
3 answers
October 3rd 19 at 04:30
Solution
by the way, is the work pf I understood everything correctly.

however, the test machine used the old default gateway. that's why the traffic went back through the old gateway.
when pointed new gateway, everything suddenly worked.
October 3rd 19 at 04:32
telnet: Unable to connect to remote host: No route to host


Firewall to do with it. The host is not visible in the network. If the port is closed, it will be: telnet: Unable to connect to remote host: Connection refused.
so too I thought, but with the router I can get to 192.168.1.250:25.
see a great helo and on. - Davonte.Rodriguez commented on October 3rd 19 at 04:35
Ay! Sorry, inattentively read a question. Do not understand what it is about the redirect. - Armando_Mayer commented on October 3rd 19 at 04:38
October 3rd 19 at 04:34
I'm in pf is not strong, so not much kick.

I am confused by this construction:

nat on $ext from $localnet to any -> ($ext)

isn't ($int) should be?
Frankly I've confused myself.
You need external connections to redirect to the internal server?
rdr pass on $ext proto tcp from any to $ext port smtp -> $mail_smtp port smtp - Davonte.Rodriguez commented on October 3rd 19 at 04:37
Yes, that's right.
need to outside, for example gmail.com could easily pass the letter to the local server.

the rule I tried, but...
and it only says that on the mail server port should be 25.
however, the exact same error — "no route to host" ^(

and Yes, judging by the hand beech — nat on $ext from $localnet to any -> ($ext) is the correct line. - Armando_Mayer commented on October 3rd 19 at 04:40
"no route to host"
You from the local network check? Put a trace up to 192.168.1.250 - pearl_Web commented on October 3rd 19 at 04:43
at the same time and the routing table I show:
root@gw:/root # netstat-anr
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default xx.yy.zz.1 UGS 0 vr0 634145
xx.yy.zz.0/24 link#7 U 0 11216 vr0
xx.yy.zz.c1 link#7 UHS 0 0 lo0
xx.yy.zz.c2 link#7 UHS 0 0 lo0
127.0.0.1 link#11 UH 0 lo0 50
192.168.0.0/22 link#1 U 0 777890 ale0
192.168.1.199 link#1 UHS 0 0 lo0

Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0
::1 link#11 UH lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
fe80::/10 ::1 UGRS lo0
fe80::%ale0/64 link#1 U ale0
fe80::224:8cff:fedb:c534%ale0 link#1 UHS lo0
fe80::%vr0/64 link#7 U vr0
fe80::20d:88ff:feb5:bea6%vr0 link#7 UHS lo0
fe80::%lo0/64 link#11 U lo0
fe80::1%lo0 link#11 UHS lo0
ff01::%ale0/32 fe80::224:8cff:fedb:c534%ale0 ale0 U
ff01::%vr0/32 fe80::20d:88ff:feb5:bea6%vr0 vr0 U
ff01::%lo0/32 ::1 U lo0
ff02::/16 ::1 UGRS lo0
ff02::%ale0/32 fe80::224:8cff:fedb:c534%ale0 ale0 U
ff02::%vr0/32 fe80::20d:88ff:feb5:bea6%vr0 vr0 U
ff02::%lo0/32 ::1 U lo0

root@gw:/etc # traceroute 192.168.1.250
traceroute to 192.168.1.250 (192.168.1.250), 64 hops max, 52 byte packets
 1 iatepus (192.168.1.250) 0.308 ms 0.146 ms 0.179 ms


I check outside. - Davonte.Rodriguez commented on October 3rd 19 at 04:46

Find more questions by tags pfFreeBSD* nix-like systems