Need help understanding GUI creation of rdr rules

rcarr · Apr 18, 2007, 9:26 PM

I'm new to pfsense but have been using OpenBSD and pf for a long time.

I'm trying to take my pf.conf ruleset from OpenBSD and manually re-create it within pfsense, but am having trouble grokking the way pfsense wants me to do it within its GUI.

For instance:

Handle FTP via OpenBSD's ftp-proxy

rdr on LAN-interface proto tcp from any to any port 21 -> 127.0.0.1 port 8081
rdr on OPT-interface proto tcp from any to any port 21 -> 127.0.0.1 port 8081

(I configured the ftp-proxy to run on localhost at TCP 8081 under OpenBSD).

Can someone suggest how I would recreate the above in the GUI's NAT -> Port Forward?

Is pftpx the analog to OpenBSD's ftp-proxy? This FAQ says pfsense's ftp-proxy is running on localhost:

http://faq.pfsense.org/index.php?action=artikel&cat=10&id=103&artlang=en

But ps -aux and the pfsense GUI seem to indicate that pftpx is bound to each interface. So I think the FAQ entry is outdated?

Similarly, I'm not sure how to re-create:

Let client systems behind FW use dnscache on FW

rdr on LAN-interface proto udp from any to LAN-interface-IP/32 port 53 -> 127.0.0.1 port 53

and port-forwards from the outside to a host in the DMZ:

rdr on WAN-interface proto tcp from any to any port 80 -> IP-in-DMZ port 80

sullrich · Apr 18, 2007, 9:34 PM

1. Enable the FTP helper on the Interfaces -> WAN area.
2. Delete any prior ftp port forwards and port forward rules pertaining to port 21/ftp.
3. Create the nat port forward for 21.

This will launch pftpx as needed for port forwards at this point

rcarr · Apr 19, 2007, 2:38 AM

I'm trying to create rules which allow ftp (through the ftp-proxy) outbound from the inside and DMZ LANs.

1. Enable the FTP helper on the Interfaces -> WAN area.

Why run the ftp helper on the WAN interface? Wouldn't you want to run the helper on the inbound interface(s) (if I can't run it on localhost)?

3. Create the nat port forward for 21.

Can you walk me through what that rule would look like:

Is the Interface LAN? Or WAN? Why?
Is the external address any? or Interface addr?
Is the NAT IP the IP where pftpx is running?
Do I set the local port to 8021?

sullrich · Apr 19, 2007, 4:16 AM

http://wiki.pfsense.com/wikka.php?wakka=FTPTroubleShooting

rcarr · Apr 19, 2007, 5:13 AM

Thanks, I will check out that URL.

My original question isn't really an FTP question, however. My FTP example was merely an instance of a larger problem: I'm having trouble figuring out how to translate rdr rules from PF into pfsense.

For instance, in translating this rdr rule to pfsense:

rdr on WAN-interface proto tcp from any to any port 80 -> IP-in-DMZ port 8080

What's the "external address"? Is IP-in-DMZ the "NAT IP"? Is the "Local Port" 8080?

And in:

rdr on LAN-interface proto udp from any to LAN-interface-IP/32 port 53 -> 127.0.0.1 port 53

What's the "external address"? Is it LAN-interface-IP/32?

Are there any tutorials that illustrate translating nat, binat, rdr and other PF rules into the pfsense GUI?

sullrich · Apr 19, 2007, 5:37 AM

pfSense operates on the packet incoming to an interface which creates a state.

So think of it as incoming to a interface initially (SYN).