I'm having a little bit of difficulty with a binat rule that I need. Here's the situation: I have a machine (10.20.0.100) in the internal LAN (10.20.0.0/24, note the /24 because of my organization's routing policies and network topology) that I'd like to binat it onto a routable IP address. The network this machine is (10.20.0.0/24) is also under plain-old nat.
So, part of my pf.conf setup is this (w.x.y.z is the routable IP address that I'd like to use, aliased to the external interface, which uses w.x.y.[z - 1]):
binat on $ext_if from 10.20.0.100 to any -> w.x.y.z
nat on $ext_if from 10.20.0.0/24 to any -> w.x.y.[z - 1](of course, w.x.y.z and w.x.y.[z - 1] are writing aids, I use either proper IP addresses of macros.)
My questions:
1) If I have the machine on binat, should I exclude it from the NAT rules? (using nat syntax)
2) I have a default deny filtering policy. But, to take into account the binat address do I have to filter on the external interface, the internal or both? In addition, should I use the 10.20.0.100 (internal IP) or w.x.y.z?
My filter rules are these:
block in all
block out all # both $ext_udp and $ext_tcp are lists of ports that I
# allow incoming connections from the Internet (DNS, NTP,
# WWW, SMTP, the usual suspects.)
#
pass in on $ext_if proto udp from any to any \
port $ext_udp keep state
pass in on $ext_if proto tcp from any to any \
port $ext_tcp keep statepass out on $ext_if from $ext_if to any keep state
pass in on $int_if from 10.20.0.0/24 to any keep state
All the other computers access the Internet pretty well, but I'm missing the rules for binat to work. I've tried several combinations, read the manpages, browsed the archives. Nothing. What's going on?
Oh, happy holidays and a big thanks to OpenBSD and pf hackers!
Best regards, Carlos.
