Re: Most barebones pf.conf
Thanks all for the help, got some good ideas from the discussion. Peter -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Peter Hessler Sent: Thursday, August 05, 2010 2:49 AM To: Olivier Mehani Cc: Robert; misc@openbsd.org Subject: Re: Most barebones pf.conf On 2010 Aug 05 (Thu) at 10:42:21 +1000 (+1000), Olivier Mehani wrote: :=== pf.conf === :match out on egress from (ingress:network) to any nat-to (egress) :pass all :== You can simplify this even more: pass out from !(egress) nat-to (egress:0) the 'egress' group is added to any interface that has a default route. The '(egress:0)' syntax will have it chose the first IP address on that interface, dynamically chasing any IP address change (think dhcp). -- Everything is controlled by a small evil group to which, unfortunately, no one we know belongs.
Re: Most barebones pf.conf
On 2010 Aug 05 (Thu) at 10:42:21 +1000 (+1000), Olivier Mehani wrote: :=== pf.conf === :match out on egress from (ingress:network) to any nat-to (egress) :pass all :== You can simplify this even more: pass out from !(egress) nat-to (egress:0) the 'egress' group is added to any interface that has a default route. The '(egress:0)' syntax will have it chose the first IP address on that interface, dynamically chasing any IP address change (think dhcp). -- Everything is controlled by a small evil group to which, unfortunately, no one we know belongs.
Re: Most barebones pf.conf
On Thu, Aug 05, 2010 at 02:17:35AM +0200, Robert wrote:
> > What would be the most barebones pf.conf for a OpenBSD 4.7 nat firewall
> > with 2 nics, that passes everything.
> ext_if="em0"
> table int_net const persist {10.10.1.0/24}
> match out on $ext_if from to any nat-to ($ext_if)
> pass all
If I'm not mistaken, you could drop the b
ext_if="em0"b
and just use
interface group b
egressb
(which would be your only interface with a
default route in this case) in the match rule.
Similarly, assuming your local interface is in the same network as your
NATted clients, you could use b
($int_if:network)b
instead of the address
table. This would require declaring an $int_if variable.
Maybe a nicer way to do this would be to put your local interface in a
specific group using hostname.$int_if, then only use that group's name
in your pf.conf. This has the additional advantage that you can add
other local interfaces later on, and have the NAT set up directly for
them without modifying your pf.conf, but only their hostname.if.
Thus,
=== pf.conf ===
match out on egress from (ingress:network) to any nat-to (egress)
pass all
==
=== hostname.$int_if ===
...
group ingress
==
PS: I'm just saying that from the top of my head, and haven't tried
this. Particularly, I'm not sure whether the b
nat-to (egress)b
works. It
may need a b
nat-to (egress:0)b
instead, which may net even work either.
I tend to always try out interface group-based solutions first as I find
them more elegant. Anyway, if you're keen, please test and tell us (:
--
Olivier Mehani
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655
[demime 1.01d removed an attachment of type application/pgp-signature]
Re: Most barebones pf.conf
On Wed, 4 Aug 2010 15:32:39 -0700
"Peter Merritt" wrote:
> What would be the most barebones pf.conf for a OpenBSD 4.7 nat firewall
> with 2 nics, that passes everything.
ext_if="em0"
table int_net const persist {10.10.1.0/24}
match out on $ext_if from to any nat-to ($ext_if)
pass all
---
That's minimal (yes, you can write it shorter...), but it might not
be enough in every case.
"man pf.conf" and http://marc.info might also help...
regards,
Robert
Re: Most barebones pf.conf
he says NAT, so what about something like "match out from 192.168.0.0/16 to any nat-to 35.42.1.42" pf.conf and the faq should have plenty more info Johan Beisser [...@caustic.org] wrote: > "pass all" > > On Wed, Aug 4, 2010 at 3:32 PM, Peter Merritt > wrote: > > What would be the most barebones pf.conf for a OpenBSD 4.7 nat firewall > > with 2 nics, that passes everything. > > > > Peter -- I know nothing except the fact of my ignorance -Socrates
Re: Most barebones pf.conf
"pass all" On Wed, Aug 4, 2010 at 3:32 PM, Peter Merritt wrote: > What would be the most barebones pf.conf for a OpenBSD 4.7 nat firewall > with 2 nics, that passes everything. > > Peter
Most barebones pf.conf
What would be the most barebones pf.conf for a OpenBSD 4.7 nat firewall with 2 nics, that passes everything. Peter
