[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: pf + nat
From:       "Bob McIlvaine" <suemac () empire ! net>
Date:       2004-03-21 21:18:55
Message-ID: 405DC06F.15195.C3E09 () localhost
[Download RAW message or body]

I saw the last digest with a thread on pf + nat...etc.

I have just started figuring out PF and nat and have 
implemented some of the suggested rules in various 
documents on the subject.

------------------------------------------------------------------------
ext_if="tun0"
int_if="xl0"
lp_if="lo0"
internal_net="192.168.53.0/24"


nat on $ext_if from $internal_net to any -> ($ext_if)

block in log all
pass out all

pass in  on $lp_if  all
pass in  on $int_if all

# add the following and firewall can get to internet
#pass in  on $ext_if all

block in log quick on $ext_if from 0.0.0.0/32 to any
block in log quick on $ext_if from 255.255.255.255/32 to any
block in log quick on $ext_if from 127.0.0.0/8 to any
block in log quick on $ext_if from any to 0.0.0.0/32
block in log quick on $ext_if from any to 255.255.255.255/32
block in log quick on $ext_if from any to 127.0.0.0/8

block in log quick on $ext_if from 10.0.0.0/8 to any
block in log quick on $ext_if from 172.16.0.0/12 to any
block in log quick on $ext_if from 192.168.0.0/16 to any

-------------------------------------------------------------------------------
When this rule set is loaded, my hosts have access to the 
internet, but the firewall does not.

I've found no specific discussions that say the firewall 
shouldn't get to the net.

I noticed from the pflog, that the packets that are dropped by 
pf because of match of the first rule. The packets are 
addressed to the dynamic IP of the nat'ed tun0.

What is the wisdom of internet access from the firewall?

I have implemented some rules that will allow the firewall to 
get to the internet...but I'm not sure what holes I opened in 
doing so. The rule in question is commented out in the above 
pf.conf.

One confusion is that I thought I read that nat happened 
before pf rule check...so, when I saw the dyn. IP addressed 
packets getting dropped, I don't know why the rest of my 
hosts are working...

Nothing new...I'm confused.

Mac

[prev in list] [next in list] [prev in thread] [next in thread]