Hello,
I'm having a problem with NAT. I have given up trying fancy pf stuff
and I am using a barely modified version of the example ruleset from
the using pf guide on the OpenBSD site:
# OpenBSD Packet Filter Configuration
#
# macros
ext_if="dc0"
int_if="sis0"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# filter rules
block in
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
the only thing that I took out was the web server, so there is no
inbound access in this configuration. I have the same pf.conf file on
both of my servers. The layout looks like this.
Internet
|
- public ip
OpenBSD box A running as router
- public ip
|
- public ip
OpenBSD box B running as firewall
- 10.100.100.1
|
- 10.100.100.120
OpenBSD box C running as desktop
The problem that I am having is that I can't surf the information
superhighway from box C. So I've been looking at the network traffic
to see how far it is going and it's getting past the firewall but not
past the router.
I believe the problem is that box B is not preforming network address
translation for box C. When I do a tcpdump on the interface connection
box A and box B I see packets with 10.100.100.120 as the address.
Is there a magic "Turn Nat On" switch I'm not using? I have modified
by /etc/sysctl.conf to enable ip forwarding.
I'm stuck... Does anyone have a suggestion on what I can try or what I
am doing wrong?
Thanks,
JB
