tell the PFY to fix it
On Dec 26, 2006, at 8:45 PM, B.O.F.H. wrote:
Scenario:
DSL - DSL modem - OpenBSD Firewall - LAN
Firewall has three legs:
bge0 - External Interface, 206.124.14.98
bge1 - Internal Interface, 192.168.0.1
sk0 - Management Interface, 192.168.0.36
Desired goal:
Perform multiple static NAT translations along with a fairly
standard rule set, using bge1 as the default gateway for the LAN and
bge0 as the public interface.
Current functionality:
Overload NAT to a single IP through the DSL modem, using the OpenBSD
firewall in bridge mode.
Problem:
When I reconfigure the OpenBSD firewall to take it out of bridge
mode and run in full NAT mode, it mucks with the IP's assigned to
the two inside interfaces, which causes packets to go nowhere.
Relevant (hopefully) data:
Current bridge mode pf.conf:
ext_if = bge0
int_if = bge1
set skip on lo0
0_ns = 192.168.0.17
1_ns = 192.168.0.19
megarea = 192.168.0.32
clotho = 192.168.0.33
pheme = 192.168.0.35
heimdall = 192.168.0.36
0_mx = 192.168.0.34
dns = { $0_ns $1_ns }
external = { 192.168.0.1, 192.168.0.5 }
internal = { 192.168.0.32, 192.168.0.34 }
table eq2_tcp { 64.37.156.7, 64.37.129.41, 199.108.194.76,
199.108.194.75, 64.37.129.42 }
table eq2_udp { 64.37.148.142, 64.37.148.144, 64.37.158.0/24,
199.108.2.0/24, 199.108.12.0/24, 199.108.202.0/24, 199.108.203.0/24,
195.33.135.0/24 }
table eq2_icmp { 64.37.158.0/24, 199.108.2.0/24, 199.108.12.0/24,
199.108.202.0/24, 199.108.203.0/24, 195.33.135.0/24 }
scrub in on $int_if all no-df random-id
scrub in on $ext_if all no-df fragment reassemble
scrub on $ext_if reassemble tcp
rdr on $ext_if proto tcp from any to $0_mx port 109 - $0_mx port 25
pass in quick on $int_if all
pass out quick on $int_if all
block in log (all) on $ext_if all
pass out quick \
on $ext_if \
proto tcp \
from $clotho \
to eq2_tcp \
modulate state
pass out quick \
on $ext_if \
proto udp \
from $clotho \
to eq2_udp
pass out quick \
on $ext_if \
inet proto icmp \
from $clotho \
to eq2_icmp
pass out \
on $ext_if \
inet proto icmp \
all \
keep state
pass out \
on $ext_if \
proto tcp \
all \
modulate state
pass out \
on $ext_if \
proto udp \
all \
keep state
pass in quick \
on $ext_if \
proto tcp \
from eq2_tcp \
to $clotho \
modulate state
pass in quick \
on $ext_if \
proto udp \
from eq2_udp \
to $clotho
pass in quick \
on $ext_if \
inet proto icmp \
from eq2_icmp \
to $clotho
pass in \
on $ext_if \
proto tcp \
from any \
to $pheme \
port { https } \
modulate state
pass in \
on $ext_if \
proto tcp \
from any \
to $0_mx \
port { smtp, imap, imaps } \
modulate state
pass in log (all) \
on $ext_if \
proto tcp \
from any \
to $dns \
port { 53 } \
modulate state
pass in \
on $ext_if \
proto udp \
from any \
to $dns \
port { 53 } \
keep state
pass in \
on $ext_if \
proto tcp \
from $external \
to $internal \
port { 68, 69, 123, 514 } \
modulate state
pass in \
on $ext_if \
proto udp \
from $external \
to $internal \
port { 68, 69, 123, 514 } \
keep state
pass in \
on $ext_if \
proto tcp \
from $external \
to { 192.168.0.16, 192.168.0.18 } \
port { 53 } \
modulate state
pass in \
on $ext_if \
proto udp \
from $external \
to { 192.168.0.16, 192.168.0.18 } \
port { 53 } \
keep state
pass in \
on $ext_if \
proto 24 \
from $external \
to $internal
pass in \
on $ext_if \
proto tcp \
from $external \
to { 192.168.0.36 } \
port { 123 } \
modulate state
pass in \
on $ext_if \
proto udp \
from $external \
to { 192.168.0.36 } \
port { 123 } \
keep state
pass in log (all) \
on $ext_if \
proto tcp \
from { 205.156.51.200 } \
port { ftp-data } \
to any \
modulate state
pass in log (all) \
on $ext_if \
proto tcp \
from any \
to any \
port { ftp-data, ftp, ssh } \
modulate state
Current hostname /bridgename files:
# cat /etc/hostname.bge0
up
# cat /etc/hostname.bge1
up
# cat /etc/hostname.sk0
dhcp NONE NONE NONE description Internal Firewall
# cat /etc/bridgename.bridge0
add bge0 add bge1 up
# ifconfig -a
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen
