Martin Toft a écrit :
charles Collin wrote:
# NAT section
binat on ext_if from 10.0.0.B to any -> X.Y.Z.B
# Rules section, i only need https access to this machine.
block all
.
.
.
pass in on ext_if proto tcp from any to X.Y.Z.B port https
pass out in dmz_if proto tcp from any to 10.0.0.B port https
pass in on dmz_if proto tcp from 10.0.0.B port https to any
pass out on ext_if proto tcp from X.Y.Z.B port https to any
Well ... this does not work and i can't find a reason why.
What i noticed:
When logged on the OpenBSD box, a "telnet 10.0.0.B 443" works fine.
However, from the outside, i can't reach the port, as if the address
was not translated and the packet was routed to the openBSD box where
no web server runs.
The translation is done before the filtering, i.e. you have to match on
the translated destinations on the incoming traffic:
pass in on ext_if proto tcp from any to 10.0.0.B port https
(at least that what's going with regular nat/rdr, I'm not really
familiar with binat)
If you only want a couple of ports on the webservers to be reachable
from the internet, I don't see the point in using binat over regular
nat/rdr.
Cheers,
Martin
OK,
Actually, i thought the chain was as follows:
LAN ==== int_if || pf <=> NAT <=> pf || ext_if ==== Inet
Hence I would use public addresses in rules regarding the ext_if
interface and private addresses regarding the int_if interface !
But I was wrong apparently!
Thanks for the tip, it all works great now!
Cheers,
Charles.
