Cascading pf firewalls with both nat and no nat

Mon, 01 Mar 2010 09:33:50 -0800 

Hi list,

I have a working setup with 2 cascaded firewalls (OpenBSD 4.5 on my
external firewall, 4.6 on my internal firewall).

NAT is done on the external interface of the internal firewall (which
is connected to the external firewall).

Now I want to exclude one of the workstations behind the internal
firewall from NAT. This workstation should be allowed to connect to
one server only (which is connected to another interface of the
external firewall).

Intended setup is as follows:

[Indentation for better readability]

Workstation
  10.1.2.2/24
  gateway is 10.1.2.1

Internal firewall
  10.1.2.1/24 xl0 (connected to workstation)
  10.1.0.2/24 xl1 (connected to external firewall)
  gateway is 10.1.0.1

External firewall
  10.1.0.1/16 re0 (connected to internal firewall)
  10.0.2.1/24 re1 (connected to server)

Server
  10.0.2.2/24
  gateway is 10.0.2.1

NAT rules on internal firewall
  no nat on xl1 from 10.1.2.2 to any
  nat on xl1 from any to any -> 10.1.0.2

Filtering rules on internal firewall

  # general rules
  block all
  antispoof quick for { lo xl0 xl1 }

  # xl0 rules
  # no quick rules before the following rule
  pass in on xl0 from 10.1.2.2 to 10.0.2.1
  # no block rules after the previous rule

  # snip - other interfaces

  # xl1 rules
  # no quick rules before the following rule
  pass out on xl1 from 10.1.2.2 to 10.0.2.1
  # no block rules after the previous rule

Filtering rules on external firewall

  # general rules
  block all
  antispoof quick for { lo re0 re1 }

  # re0 rules
  # no quick rules before the following rule
  pass in on re0 from 10.1.2.2 to 10.0.2.1
  # no block rules after the previous rule

  # snip - other interfaces

  # re1 rules
  # no quick rules before the following rule
  pass out on re1 from 10.1.2.2 to 10.0.2.1
  # no block rules after the previous rule

This does not seem to work, however, as the workstation
cannot connect to the server (it was able to connect
with NAT).

What am I doing wrong? Any hints would be appreciated.
Thank you very much in advance.
-- 
GRATIS f|r alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

Reply via email to