Hello, I'm having a problem with NAT. I have given up trying fancy pf stuff and I am using a barely modified version of the example ruleset from the using pf guide on the OpenBSD site:
# OpenBSD Packet Filter Configuration # # macros ext_if="dc0" int_if="sis0" tcp_services="{ 22, 113 }" icmp_types="echoreq" # options set block-policy return set loginterface $ext_if set skip on lo # scrub scrub in # nat/rdr nat on $ext_if from !($ext_if) -> ($ext_if:0) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 # filter rules block in pass out keep state anchor "ftp-proxy/*" antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in quick on $int_if the only thing that I took out was the web server, so there is no inbound access in this configuration. I have the same pf.conf file on both of my servers. The layout looks like this. Internet | - public ip OpenBSD box A running as router - public ip | - public ip OpenBSD box B running as firewall - 10.100.100.1 | - 10.100.100.120 OpenBSD box C running as desktop The problem that I am having is that I can't surf the information superhighway from box C. So I've been looking at the network traffic to see how far it is going and it's getting past the firewall but not past the router. I believe the problem is that box B is not preforming network address translation for box C. When I do a tcpdump on the interface connection box A and box B I see packets with 10.100.100.120 as the address. Is there a magic "Turn Nat On" switch I'm not using? I have modified by /etc/sysctl.conf to enable ip forwarding. I'm stuck... Does anyone have a suggestion on what I can try or what I am doing wrong? Thanks, JB