Re: nat-to and route-to specified in a single rule

2011-06-07 Thread Bojidara Marinchovska

Hello,

pass in on $int_if from $network nat-to $ext_if is different from
pass out on $ext_if from $network nat-to $ext_if


Also from pf.conf(5)

   nat-to is usually applied outbound.  If applied inbound, 
nat-to

   to a local IP address is not supported.




On 06/06/11 11:05, Rob Sessink wrote:


Hello,

In a multi-homed setup I am trying to routeout packets over the 
secondary interface on which also NAT is done.


The environment consists of a OpenBSD 4.9 Firewall with 3 em 
interfaces, connected to 2 DSL providers


em0: internal interface

em1: first DSL

em2: second DSL

I did dome testing with the understanding ruleset, where I have 
specified a nat-to and route-to statement in a single rule


### rules ###

pass in  log on em0 from 192.168.1.118 nat-to (e2gress:0) route-to 
(em2 80.100.x.x)


pass out log on em2

### states ###

all icmp 74.125.77.104:8 - 80.100.x.x:54000 
(192.168.1.118:9035)   0:0


all icmp 80.100.x.x:54000 - 74.125.77.104:8   0:0

This setup somewhat works. When pinging an upstream host, the packets 
get send out over the secondary interface, but the first packet is 
always dropped!


According to the pf.conf man page this rule specification is possible. 
My question is this kind of rule specification allowed and intended to 
be working in PF?


When splitting the nat-to / route-to statement in the ruleset 
everything works fine.


### rules ###

pass in  log on em0 from 192.168.1.118 route-to (em2 80.100.x.x)

pass out log on em2 from 192.168.1.118 nat-to (em2:0)

### states ###

all icmp 74.125.77.104:8 - 192.168.1.118:8779   0:0

all icmp 80.100.x.x:9676 (192.168.1.118:8779) - 74.125.77.104:8   0:0

Regards Rob





RE: nat-to and route-to specified in a single rule

2011-06-07 Thread Rob Sessink
Hello,

 

You're right, looking again at this rule, it is unwanted to do the NAT
on the inbound packets 

of the internal interface when the firewall is connected to multiple
networks/interfaces.

 

Thanks for the pointer to pf.conf(5). But what is meant with the
statement a 'local IP address' in this context?. 

 

Thx Rob

 

 

 

 

 

 

Van: Bojidara Marinchovska [mailto:quintesse...@bobi.gateit.net] 
Verzonden: dinsdag 7 juni 2011 14:13
Aan: Rob Sessink
CC: pf@benzedrine.cx
Onderwerp: Re: nat-to and route-to specified in a single rule

 

Hello,

pass in on $int_if from $network nat-to $ext_if is different from
pass out on $ext_if from $network nat-to $ext_if


Also from pf.conf(5)

   nat-to is usually applied outbound.  If applied inbound,
nat-to
   to a local IP address is not supported.




On 06/06/11 11:05, Rob Sessink wrote: 

Hello,

In a multi-homed setup I am trying to route out packets over the
secondary interface on which also NAT is done. 

The environment consists of a OpenBSD 4.9 Firewall with 3 em interfaces,
connected to 2 DSL providers

em0: internal interface

em1: first DSL 

em2: second DSL

I did dome testing with the understanding ruleset, where I have
specified a nat-to and route-to statement in a single rule

### rules ###

pass in  log on em0 from 192.168.1.118 nat-to (e2gress:0) route-to (em2
80.100.x.x)

pass out log on em2

### states ###

all icmp 74.125.77.104:8 - 80.100.x.x:54000 (192.168.1.118:9035)
0:0

all icmp 80.100.x.x:54000 - 74.125.77.104:8   0:0

This setup somewhat works. When pinging an upstream host, the packets
get send out over the secondary interface, but the first packet is
always dropped! 

According to the pf.conf man page this rule specification is possible.
My question is this kind of rule specification allowed and intended to
be working in PF?

 

When splitting the nat-to / route-to statement in the ruleset everything
works fine.

### rules ###

pass in  log on em0 from 192.168.1.118 route-to (em2 80.100.x.x)

pass out log on em2 from 192.168.1.118 nat-to (em2:0)

### states ###

all icmp 74.125.77.104:8 - 192.168.1.118:8779   0:0

all icmp 80.100.x.x:9676 (192.168.1.118:8779) - 74.125.77.104:8
0:0

Regards Rob 

 



Re: nat-to and route-to specified in a single rule

2011-06-07 Thread Stuart Henderson
On 2011/06/07 17:36, Rob Sessink wrote:
 You’re right, looking again at this rule, it is unwanted to do
 the NAT on the inbound packets of the internal interface when the
 firewall is connected to multiple networks/interfaces.
 
 Thanks for the pointer to pf.conf(5). But what is meant with the
 statement a ‘local IP address’ in this context?.

An address on the local machine.