View previous topic :: View next topic |
Author |
Message |
BABUT
Joined: 07 Feb 2009 Posts: 13
|
Posted: Thu Sep 03, 2009 8:30 am Post subject: monkeys changed syntax in pf |
|
|
..for nat/rdr rules and anchors.
ps: i hate them too ;) |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Fri Sep 04, 2009 9:04 am Post subject: Re: monkeys changed syntax in pf |
|
|
BABUT wrote: | ..for nat/rdr rules and anchors.
ps: i hate them too |
what are you talking about ? _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
BABUT
Joined: 07 Feb 2009 Posts: 13
|
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Fri Sep 04, 2009 4:26 pm Post subject: |
|
|
BABUT wrote: | http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c
now miniupnpd isn't working |
OK. seems like it would be for OpenBSD 4.7.
It'll be ok for OpenBSD 4.6 _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
BABUT
Joined: 07 Feb 2009 Posts: 13
|
Posted: Sun Oct 25, 2009 10:21 pm Post subject: |
|
|
changes of pf syntax do not included in 4.6 release. anybody help me save 6 months of my life? ;) |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Sat Mar 06, 2010 8:24 am Post subject: |
|
|
I'm currently working to add support for pf rule syntax in OpenBSD 4.7 that is coming...
anybody having some tested RDR rules samples under OpenBSD-current ? _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
BABUT
Joined: 07 Feb 2009 Posts: 13
|
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Sat Mar 06, 2010 9:18 am Post subject: |
|
|
pf(4) is up to date in the Man, but pf.conf(5) is not. It is dated from May 2009.
example given is Code: | rdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd | , how is the same rule with the new syntax ???
Well in fact I would need to write the rule Code: | rdr pass on xl1 inet proto udp from any to any port = 12345 label "testing" -> 10.10.42.42 port 54321 | with the new syntax _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Sat Mar 06, 2010 9:21 am Post subject: |
|
|
If you have some redirection rules, the output of pfctl -srules | grep rdr on your OpenBSD-current could help _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
BABUT
Joined: 07 Feb 2009 Posts: 13
|
Posted: Sat Mar 06, 2010 9:34 am Post subject: |
|
|
variant 1:
pass in on $ext proto tcp to (self) port telnet rdr-to $target
pass out on $int proto tcp to $target port telnet
variant 2:
match in on $ext proto tcp to (self) port telnet rdr-to $target
pass in on $ext proto tcp to $target port telnet
pass out on $int proto tcp to $target port telnet
variant 3:
match in on $ext proto tcp to (self) port telnet rdr-to $target tag PASS
pass all tagged PASS
variant 4: ..
..
or it? %) |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Sat Mar 06, 2010 9:39 am Post subject: |
|
|
BABUT wrote: | variant 1:
pass in on $ext proto tcp to (self) port telnet rdr-to $target
pass out on $int proto tcp to $target port telnet
variant 2:
match in on $ext proto tcp to (self) port telnet rdr-to $target
pass in on $ext proto tcp to $target port telnet
pass out on $int proto tcp to $target port telnet
variant 3:
match in on $ext proto tcp to (self) port telnet rdr-to $target tag PASS
pass all tagged PASS
variant 4: ..
..
or it? %) |
thanks ! _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
BABUT
Joined: 07 Feb 2009 Posts: 13
|
Posted: Sat Mar 06, 2010 9:48 am Post subject: |
|
|
i use variant 3
match in inet proto tcp from any to (self) port = domain tag PASS rdr-to 127.0.0.1
match in inet proto udp from any to (self) port = domain tag PASS rdr-to 127.0.0.1
match in inet proto tcp from <free> to (self) port = auth tag PASS rdr-to 127.0.0.1
match in inet proto tcp from <free> to (self) port = ntp tag PASS rdr-to 127.0.0.1
match in inet proto udp from <free> to (self) port = ntp tag PASS rdr-to 127.0.0.1
match in on ste0 inet proto udp from 192.168.200.20 to (self) port = snmp tag PASS rdr-to 127.0.0.1
match in on ste0 inet proto udp from 192.168.200.20 to (self) port = snmp-trap tag PASS rdr-to 127.0.0.1
match in on ath0 inet proto udp from 192.168.200.20 to (self) port = snmp tag PASS rdr-to 127.0.0.1
match in on ath0 inet proto udp from 192.168.200.20 to (self) port = snmp-trap tag PASS rdr-to 127.0.0.1
match in inet proto tcp from <local> to (self) port = www tag PASS rdr-to 127.0.0.1
match in inet proto tcp from <local> to (self) port = https tag PASS rdr-to 127.0.0.1
match in on ste0 inet proto udp from 192.168.200.20 to (self) port = syslog tag PASS rdr-to 127.0.0.1
match in on ath0 inet proto udp from 192.168.200.20 to (self) port = syslog tag PASS rdr-to 127.0.0.1
match in inet proto tcp from <free> to (self) port = 3128 tag PASS rdr-to 127.0.0.1
match in inet proto tcp from <local> to (self) port = 3128 tag PASS rdr-to 127.0.0.1
match in on ste0 inet proto tcp from 192.168.200.20 to (self) port = 3401 queue(Q_high_data, Q_high_init) tag PASS rdr-to 127.0.0.1
match in on ste0 inet proto udp from 192.168.200.20 to (self) port = 3401 queue(Q_high_data, Q_high_init) tag PASS rdr-to 127.0.0.1
match in on ath0 inet proto tcp from 192.168.200.20 to (self) port = 3401 queue(Q_high_data, Q_high_init) tag PASS rdr-to 127.0.0.1
match in on ath0 inet proto udp from 192.168.200.20 to (self) port = 3401 queue(Q_high_data, Q_high_init) tag PASS rdr-to 127.0.0.1
match in inet proto udp from <free> to (self) port = 3130 queue(Q_high_data, Q_high_init) tag PASS rdr-to 127.0.0.1
match in inet proto tcp from <free> to (self) port = 2101 queue(Q_high_data, Q_high_init) tag PASS rdr-to 127.0.0.1
match in inet proto tcp from any to (self) port = 6660 queue(Q_high_data, Q_high_init) tag PASS rdr-to 127.0.0.1
match in inet proto tcp from any to 83.234.231.138 port = 3389 tag PASS rdr-to 195.151.6.241 port 3399 |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Mon Mar 08, 2010 5:31 pm Post subject: |
|
|
I've done some work thanks to Chris Kildau which gave me access to his OpenBSD-current box.
Here is the result : miniupnpd-1.4.20100308.tar.gz
But it still doesnt work for some unknown reason
Maybe adding a rule now doesnt work with DIOCCHANGERULE, only with DIOCADDRULE
If someone wants to have a look, execute ./genconfig.sh, then change to the pf directory, and make. testobsdrdr will fail to add a rule but should properly display rules already set in the anchor "miniupnpd". _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
BABUT
Joined: 07 Feb 2009 Posts: 13
|
Posted: Thu Mar 25, 2010 11:42 pm Post subject: |
|
|
may be henning brauer(henning@openbsd.org) help you? ;) |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Fri Mar 26, 2010 9:43 am Post subject: |
|
|
Before annoying him, I should do some test on a OpenBSD version that is the same as what will be released as OpenBSD 4.7. (contact me by email if you can provide me that) _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
|