Re: Packet Tagging issues with NAT in pf OBSD 4.9

Axton Thu, 03 Nov 2011 11:13:58 -0700

On Thu, Nov 3, 2011 at 12:26 PM, Bentley, Dain <dbent...@nas.edu> wrote:


> Hello Stuart and thanks for your reply.
>
> It still doesn't help, this seems to work but I'm not sure if this is a
> good
> config:
>
> # NAT RULES
> match out on $ext tagged LAN nat-to ($ext)
>
> # BLOCKING AND PACKET TAGGING
> pass in on $int from $int_net tag LAN
> #pass in on $int tag LAN
>
> block out on $ext from any to any
>
> pass out quick on $ext tagged LAN
>
> ________________________________________
> From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Stuart
> Henderson [s...@spacehopper.org]
> Sent: Thursday, November 03, 2011 6:53 AM
> To: misc@openbsd.org
> Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9
>
> you aren't using tagging in your sample.
>
> On 2011-11-03, Wesley M. <open...@e-solutions.re> wrote:
> > Hi, try this sample
> >
> > _int = "re0"
> > _ext = "fxp1"
> > int_net = "192.168.200.0/24"
> > set block-policy drop
> > set skip on lo
> > match in all scrub (no-df max-mss 1440)
> > match out on $_ext inet from $int_net to any nat-to (egress)
> > block log all
> > pass in on $_int inet proto udp from $int_net to any port domain
> > pass in on $_int inet proto tcp from $int_net to any port \
> >         { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps }
> > pass out on $_ext inet proto tcp all
> > pass out on $_ext inet proto udp all
> >
> >
> > All the best,
> >
> > Wesley MOUEDINE ASSABY.
> >
> >
> >> _int = "re0"
> >> _ext = "fxp1"
> >> int_net = "192.168.200.0/24"
> >>
> >> pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET
> >> pass in on $_int from $int_net tag LAN_TO_INET
> >>
> >> ......
> >>
> >> pass out quick on $_ext tagged LAN_NAT_TO_INET  nat-to ($_ext)
> >>
> >>
> >>
> >> Any reason why at the bottom of my .conf file where nat-to is in my
> > "quick"
> >> rule it would work but when it's at the first filter rule it does not?
> >> I've
> >> read over the man page and have the book of pf v.2 and still am
> > confused.
> >> Any
> >> tought is greatly appreciated.
> >>
> >>
> >>
> >> Regards,
> >>
> >> Dain
>
> I use something like this.  The ruleset has been modified before posting,
so no guarantees that I didn't mess something up.

# interfaces
if_lo="lo"
if_enc="enc0"
if_gif="gif0"
if_ext="vlan3"
if_int="vlan20"
if_srv="vlan40"

# interface ip's
ip4_int="10.0.0.1"
ip6_int="2001:xxxx:xxxx:20::10"
ip4_srv="10.0.20.1"
ip6_srv="2001:xxxx:xxxx:40::10"

# networks
net4_int="10.0.0.0/22"
net6_int="2001:xxxx:xxxx:20::/64"
net4_srv="10.0.20.0/22"
net6_srv="2001:xxxx:xxxx:40::/64"

# other macros
icmp_types="echoreq"

# default policy
block log all

# TRANSLATION
match out on $if_ext inet tag INT_INET_NAT tagged INT_INET nat-to ($if_ext)
static-port
match out on $if_ext inet tag SRV_INET_NAT tagged SRV_INET nat-to ($if_ext)

# allow router access to all nets (ipv4)
pass out on $if_ext  proto tcp from $if_ext to any
pass out on $if_ext  proto udp from $if_ext to any keep state
pass out on $if_ext  inet  proto icmp from $if_ext to any keep state
pass out on $if_int  proto tcp from $if_int to any
pass out on $if_int  proto udp from $if_int to any keep state
pass out on $if_int  inet  proto icmp from $if_int to any keep state
pass out on $if_int  inet6 proto ipv6-icmp from $if_int to any keep state
pass out on $if_srv  proto tcp from $if_srv to any
pass out on $if_srv  proto udp from $if_srv to any keep state
pass out on $if_srv  inet  proto icmp from $if_srv to any keep state
pass out on $if_srv  inet6 proto ipv6-icmp from $if_srv to any keep state

# tag packets per network
pass in on $if_int  proto tcp from { $net4_int, $net6_int } tag INT_INET
pass in on $if_int  proto udp from { $net4_int, $net6_int } tag INT_INET
keep state
pass in on $if_int  inet  proto icmp from $net4_int  icmp-type $icmp_types
tag INT_INET   keep state
pass in on $if_int  inet6 proto ipv6-icmp tag INT_INET keep state
pass in on $if_srv  proto tcp from { $net4_srv, $net6_srv } tag SRV_INET
pass in on $if_srv  proto udp from { $net4_srv, $net6_srv } tag SRV_INET
keep state
pass in on $if_srv  inet  proto icmp from $net4_srv  icmp-type $icmp_types
tag SRV_INET keep state
pass in on $if_srv  inet6 proto ipv6-icmp tag SRV_INET keep state

# policy enforcement

# networks to internet (ipv4)
pass out quick on $if_ext tagged INT_INET_NAT
pass out quick on $if_ext tagged SRV_INET_NAT

# internal network to other networks (ipv4)
pass out quick on $if_srv tagged INT_INET

# server networks to other networks (ipv4)
pass out quick on $if_int tagged SRV_INET

Axton Grams

Re: Packet Tagging issues with NAT in pf OBSD 4.9

Reply via email to