how to do port forwarding(rdr) in freebsd 6.1


purpose: setup a port forwarding firewall on freebsd 6.1

environment: fxp0 is for external NIC interface(192.168.1.1/24), fxp1 is internal one(192.168.0.1/24), servera is on the lan
steps:

  • configuring ip alias on fxp0
# ifconfig fxp0 inet alias 192.168.1.2 netmask 255.255.255.0
# ifconfig fxp0 inet alias 192.168.1.3 netmask 255.255.255.0
  • add configuration into /etc/rc.conf
ifconfig_fxp0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_fxp0_alias0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_fxp0_alias1="inet 192.168.1.3 netmask 255.255.255.0"
  • in /etc/pf.conf, after 'scrub in', before 'block all'
rdr on $fxp0 proto tcp from any to 192.168.1.2 port 3389 -> $servera
or
rdr on $fxp0 proto tcp from any to 192.168.1.2 port 3389 -> $servera port 3390

# servera
#pass external user to servera at port 3389 because after RDR, the destination become servera instead of 192.168.1.2, no need to specify RDR tcp ip pair rules because that will happen before traffic going through PF rules.
pass in quick on $fxp0 proto tcp from any to $servera port 3389 flags S/SA keep state (after rdr)
note: here uses $servera, not 192.168.1.2 which is the external ip alias, because you don't have to specify rules for RDR, here is after RDR rules)
pass out quick on $fxp1 proto tcp from any to $servera port 3389 flags S/SA keep state (direct pass after rdr tcpip payload to servera, servera needs to have routing going back to the source)
==========================
note: this method, the servera will see the real source ip, if you want to NAT also after doing RDR, NAT the source ip to the internal IP of 192.168.0.1, you can add the following to the just after above RDR or just before RDR:

nat on $fxp1 proto tcp from any to $servera - > 192.168.0.1


This way, the servera will see the traffic is coming from 192.168.0.1

but the pf rules will change also, after NAT, the sourceip become 192.168.0.1,so it becomes:
pass in quick on $fxp0 proto tcp from any to $servera port 3389 flags S/SA keep state (after rdr)
pass out quick on $fxp1 proto tcp from 192.168.0.1 to $servera port 3389 flags S/SA keep state (after nat, servera only needs to reply back to internal ip of firewall which is 192.168.0.1.

Important rules:
RDR happens before the actual PF filtering rules, once traffic coming in, it goes to RDR first before going through filtering rules.

NAT happens before the actual PF filtering rules also, before traffic going out the interface, it applies to NAT first, then applying the actual ip pf filtering rules.

RDR->incoming pf rules->|Server Interface 1_>NAT-> Server Interface 2|->outgoing pf rules