Re: Binat purpose?

Sat, 25 Oct 2014 10:11:48 -0700 

Hi Peter,

Here is my pf.conf file:

# Macros 
wan1 = "pppoe0" 
wan2 = "pppoe1" 
lan = "em0" 
https_server = "192.168.101.168" 

# Options 
set skip on { lo0 enc0 } 
set optimization normal 
set block-policy drop 
set fingerprints "/etc/pf.os" 

# FTP Proxy 
anchor "ftp-proxy/*" 

# NAT Lan users on pppoe0 (wan1) 
match out on $wan1 inet from $lan:network to any nat-to ($wan1) 

# Default FW Policy 
block drop log from any to any 
# Lan 
pass in log quick on $lan inet proto udp from $lan:network to any  port 53 
pass in log quick on $lan inet proto tcp from $lan:network to any port www 
divert-to 127.0.0.1 port 3129 label "Squid proxy" 
pass in log quick on $lan inet proto tcp from $lan:network to any port ftp 
divert-to 127.0.0.1 port 8021 label "FTP Proxy" 
pass in log quick on $lan inet proto tcp from $lan:network to any port { 
25,110,143,443,465,587,993,995 } 
# 
pass log quick proto tcp from any to port 22 
# 
# here is where  and what i dont know to do? 
# How to forward https requests to https_server arriving at pppoe1 interface/IP 
# 
# Outgoing from interfaces 
pass out from ($lan) 
pass out from ($wan1) 
pass out from ($wan2)

OpenBSD's default gateway is at pppoe0

Thanks...


On Saturday, October 25, 2014 2:52 PM, Peter N. M. Hansteen <[email protected]> 
wrote:
Theron ZORBAS <[email protected]> writes:


> Modems are in bridge mode. OpenBSD is getting public addresses via pppoe. 
> 1.1.1.1 is default gateway on OpenBSD. 
> I'm trying to reach https server behind 2.2.2.2 ip address on pppoe1. 
> So i have this rule for this aim: 
> pass log quick from 192.168.101.168 to any binat-to 2.2.2.2 
> 
> I see packets are reaching at 192.168.101.168 but no response. 
> I think it's about reply-to / route-to but got no success with my tries. 
> 
> Can anyone tell me how to handle this issue please? 

Without your complete ruleset it's near impossible to debug your
problem.  But on any recent OpenBSD you can improve your debugging
capability sighificantly by using log (matches) to track exactly what
rules are in fact matched by a specific connection.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply via email to