On Wed, 12 May 2010 21:28:03 +1000 "Rod Whitworth" <[email protected]> wrote:
> On Wed, 12 May 2010 13:05:15 +0200, Robert wrote: > >http://www.openbsd.org/faq/current.html#20090901 > >http://marc.info/?l=openbsd-misc&m=125181847818600&w=2 > > > > Have you actually written and tested a ruleset using either of those > documents? > If so please show us. (oh, you didn't sent this only to me offlist, once more for the ml) I am sending this through an OpenBSD firewall with match nat... Yes, i changed the old syntax prompted by the commit and the "following -current" faq. > Particularly seeing I referenced both of those in my original post as > not being helpful and I've been trying to get somebody - anybody - to > write a minimal NAT ruleset and show me. I didn't read up on the whole thread. Only wondered what is so hard about changing the nat line to the new syntax. Here would be a condensed version of what i am actually running in my adsl gateway. (striped and generalised) IF_EXT = "pppoe0" IF_INT = "sk0" antispoof for $IF_EXT inet set skip on lo0 match in all scrub (no-df) match out on $IF_EXT all scrub (no-df random-id max-mss 1440) match out on $IF_EXT inet from any to ! $IF_INT:network nat-to ($IF_EXT) block log all block quick inet6 all pass in on $IF_INT pass out on $IF_EXT Not minimal and generic enough to make into a default cfg, but simple with some nice to have stuff left.
