As part of my job I need to be kept aware of the availability of a server within my client's corporate network. Just to make my life hard, their entire network is hidden behind a pair of gateway machines (for this, we can just pretend there is only one machine) running FreeBSD 7.1-PRERELEASE (no, I have no idea why they are running an old, prerelease, version).
Unfortunately, BSD variants run PF and my PF skills are pretty limited, so I attempted to adapt the examples here: http://home.nuug.no/~peter/pf/en/rdr2servers.html to my situation and made the following rules:
(Note, NRPE port is 5666 and the X's in the IP addresses are just to hide the real IPs)
rdr on $ext_if inet proto tcp from any to $ext_if port 5666 -> 192.168.X.X
pass proto tcp from any to 192.168.X.X port 5666 flags S/SA synproxy state
Attempts to connect to the NRPE daemon on 192.168.X.X:5666 yield a timeout.
I have confirmed that port 5666 is reachable from the gateway machine (nmap -p5666 192.168.X.X) and that at least something is alive there (nc 192.168.X.X 5666). I've also confirmed that NRPE works correctly on the monitored machine (using nrpe_check -H localhost) and that all hosts are allowed to talk to the NRPE daemon (via nrpe.cfg).
Can anyone help me rewrite my PF rules to get this to work? For reference, their sysadmin wrote the following PF rules (which also didn't work):
rdr pass on $ext_if inet proto tcp from any to $ext_if port 5666 -> 192.168.X.X
pass out on $int_if inet proto tcp from any to 192.168.X.X port 5666