I have been doing a lot of reading (Artymiak, OpenBSD PF Manual) and searching (Google and Archives), but I'm still not understanding something I guess.
I thought that since she was initiating the connections to port 53 and 500 that the keep state entries on the outbound tcp and udp traffic would be enough to ensure she could connect and wouldn't require me to set up NAT for these connections. Am I wrong? What am I missing here?
Thank you for any help. My pf.conf is below.
rvb
#================================= # Macros #================================= log_flg = "" # "log" for on and "" for off
ext_if = "fxp0" dmz_if = "xl0" int_if = "xl1"
dmz_ip = "192.168.2.199" win_ip = "192.168.3.100"
#================================= # Port Nbr Mapping #================================= ssh = "22" ident = "113" irc_dcc = "1024:1066" web_svr = "80" tomcat = "8080"
tcp_services = "{" $ssh "}"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
#================================= # Options #================================= set block-policy drop set loginterface $ext_if
#================================= # Scrub Rules #================================= scrub in all
#================================= # NAT and Forwarding Rules #================================= nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if from $dmz_if:network to any -> ($ext_if)
prefix_ext = "rdr on" $ext_if "proto tcp from any to" $ext_if "port"
$prefix_ext $web_svr -> $dmz_ip $prefix_ext $tomcat -> $dmz_ip $prefix_ext $ident -> $win_ip $prefix_ext $irc_dcc -> $win_ip
# lan traffic to web server rdr on $int_if proto tcp from any to $ext_if port $web_svr -> $dmz_ip
# lan traffic to servlet engine rdr on $int_if proto tcp from any to $ext_if port $tomcat -> $dmz_ip
#================================= # Filter Rules #=================================
block all
pass $log_flg quick on lo0 all
antispoof $log_flg quick for $ext_if antispoof $log_flg quick for $dmz_if antispoof $log_flg quick for $int_if
block drop in $log_flg quick on $ext_if from $priv_nets to any block drop out $log_flg quick on $ext_if from any to $priv_nets
# tcp_services pass in $log_flg on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state
# web server pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $web_svr \ flags S/SA synproxy state
# servlet/jsp engine pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $tomcat \ flags S/SA synproxy state
# ident requests pass in $log_flg on $ext_if proto tcp from any to $win_ip port $ident
# dcc send pass in $log_flg on $ext_if proto tcp from any to $win_ip port $irc_dcc
# ping requests pass in $log_flg inet proto icmp all icmp-type $icmp_types keep state
# pass out all tcp, udp, and icmp packets pass out $log_flg on $ext_if proto tcp all modulate state flags S/SA pass out $log_flg on $ext_if proto { udp, icmp } all keep state
# pass all traffic to the dmz pass in $log_flg on $dmz_if from $dmz_if:network to any keep state pass out $log_flg on $dmz_if from any to $dmz_if:network keep state
# pass all traffic to and from the local network pass in $log_flg on $int_if from $int_if:network to any keep state pass out $log_flg on $int_if from any to $int_if:network keep state