On 06/22/2006 06:53:47 PM, Jascha Dub wrote:
I am in the process of seeting up a firewall for our datacenter.
The issue I am having is I can ping internal and externals from the
firewall. But can not get out from my internal servers. I'm sure it
is something pretty simple I am over looking.
nat on $ext_if from any to any -> ($ext_if)
binat on $ext_if from $dnsServer to any -> $dnsExternalIp # nat
external traffic
binat on $ext_if from $web_servers to any -> $web_serv_ext
block log all
pass out on $ext_if proto { tcp, udp } from $internal_nets to any
keep state
The nat is done before the "pass out" is evaulated, so they
don't come from $internal_nets any more.
You're better off tagging each rule and then using a
tag to allow datagrams out of the firewall. Offhand (may not
be really right):
pass in proto tcp from any to port ssh tag UNIVERSAL flags S/SA keep
state
pass in on $internal_if proto tcp from any to port http tag EXTERNAL
flags S/SA keep state
pass in on $dmz_if proto tcp from any to port ntp tag EXTERNAL flags
S/SA keep state
...
pass out on $net_if tagged EXTERNAL keep state
pass out tagged UNIVERSAL keep state
Also, translation rules are "first matching" so I wouldn't expect
your binats to be seen.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
