Hi all,
I upgraded my NAT firewall from OpenBSD 3.1 to OpenBSD 3.2. Everything seems
to work except DNS! (I've made macro substitutions for real addresses)
The clients are setup to get the NAT firewall as the gateway. Pinging our
local DNS server returns:
Reply from $NAT_public_ip: Destination host unreachable
gateway# cat hostname.fxp0
inet $NAT_public_ip 0xffffff00 NONE
inet alias $bdc_public_ip 0xffffff00 NONE
inet alias $hapkido_public_ip 0xffffff00 NONE
gateway# cat hostname.fxp1
inet $NAT_private_ip 0xffffff00 NONE
gateway# pfctl -ss
tcp $hapkido_private_ip:1990 -> $hapkido_public_ip:1990 -> server1:1059
ESTABLISHED:ESTABLISHED
tcp $hapkido_private_ip:2020 -> $hapkido_public_ip:2020 -> server2:22
ESTABLISHED:ESTABLISHED
tcp $hapkido_private_ip:1995 -> $hapkido_public_ip:1995 -> server3:139
ESTABLISHED:ESTABLISHED
I set no filter rules, just defined nat and two binats (with aliases on the
external addresses for replies) for fixed addresses.
/etc/pf.conf
ext_if = "fxp0"
int_if = "fxp1"
(other macros)
nat on $ext_if from $private_ip_range to any -> $NAT_public_ip
binat on $ext_if from $bdc_private_ip to any -> $bdc_public_ip
binat on $ext_if from $hapkido_private_ip to any -> $hapkido_public_ip
# filter rules
# the implicit first two rules are
# pass in all
# pass out all
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state
# log blocked packets
# block in log all
# pass in on ext0 proto tcp from any to ext0 port 22 keep state
# pass out on ext0 proto { tcp, udp } all keep state
It's mostly working, so it's something subtle ...
***************************
* Adam Getchell [EMAIL PROTECTED]
* System Architect/Programmer (530) 752-1584
* Human Resources Information Systems http://www.hr.ucdavis.edu/
***************************
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu
