Re: Migration document for people coming from IPFilter?

Tue, 11 Apr 2006 05:01:30 -0700 

[EMAIL PROTECTED] writes:

> The configuration is used to allow internet access with nat and
> incoming connections on a /29 net.

this sounds like a relatively straightforward NATed setup.  PF handles
NAT itself, so something along the lines of

[ pf.conf snippet starts ]
ext_if = "tx1"
int_if = #whatever your internal interface is

localnet = # your local net; "addr/mask" or "if:network" notation
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from $localnet to any -> ($ext_if) 
[ pf.conf snippet ends ]

should take care of

> # provide internet access from the  NATted LAN
> map tx1 192.168.1.0/24 -> 1.2.3.4/31 portmap tcp/udp 1025:65000
> map tx1 192.168.1.0/24 -> 1.2.3.4/31

For the ftp access 

> # make ftp service request reach the internet from the NATted LAN
> map tx1 192.168.1.0/24 -> 1.2.3.6/32 proxy port ftp ftp/tcp

running ftp-proxy is recommended.  The traditional one runs from inetd,
while the new (OpenBSD 3.9 onwards) is a standalone daemon.  Both are
covered in my tutorial[1], some details differ.

> # let port 3000 requests from 192.168.2.0/24 reach server 192.168.1.1
> on port 3000 in the NATted LAN
> rdr tx1 from 192.168.2.0/24 to 1.2.3.3/32 port = 3000 -> 192.168.1.1
> port 3000
> # let port 6502 requests reach  internal PC 192.168.1.101 on port 3000
> in the NATted LAN and the same for port 6502 to .102
> rdr tx1 1.2.3.3/32 port 6502 -> 192.168.1.101 port 6502
> rdr tx1 1.2.3.3/32 port 6503 -> 192.168.1.122 port 6503

These are ordinary redirects as far as I can see, so would carry over
with minor adjustments.  

Hope this helps,

[1] the tutorial is a work in progress, with a reasonably up to date
    version posted at http://www.bgnett.no/~peter/pf/. For the ftp part,
    see the section http://www.bgnett.no/~peter/pf/en/ftpproblem.html
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds.

Reply via email to