I should've responded to the list sooner. I actually got past the pf problem and ran up against a dnsmasq limitation.
Chris was on the money with the 'pfctl -s' advice. I saw the error right away once I did 'pfctl -s all'. The line that ended up working was this: nat pass on $ext_if inet from !($ext_if) to any -> ($ext_if:0) The problem now is that dnsmasq demands that only one interface be defined: dnsmasq: must set exactly one interface on broken systems without IP_RECVIF Looks like they might have that in the near future: http://archives.neohapsis.com/archives/openbsd/cvs/2006-05/1394.html Thanks to those who responded, CMP On 9/3/06, Chris Bullock <[EMAIL PROTECTED]> wrote:
First off what does not work? Are you sure that you sparc can access your main router, ie do you know for sure that the $ext_if of the sparc is functional, can you ping the main router from the sparcstation? To see if nat is the true problem I would drop the pf rules with routing still enabled and see if your laptop could access anything beyond the sparcstation, or at least try to ping the ext_if of the sparc. Also have you ran pfctl -sn to see if the nat rules are being implented as you desire them to be. If everything seem ok, try running tcpdump -nettti le0 to see if you are getting any traffic from anywhere. Good luck, Chris Date: Fri, 1 Sep 2006 14:11:29 -0400 From: "Cristobal Palmer" <[EMAIL PROTECTED]> Subject: [TriLUG] NAT with OpenBSD on sparcstation 5 To: "Triangle Linux Users Group discussion list" <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=UTF-8; format=flowed I've already spoken with several people on the list about this problem, but I'm still stuck, so I thought I'd cast a wider net. I've got a sparcstation 5 on which I've installed OpenBSD 3.9. I've got another openbsd box that handles NAT fine, but the sparc isn't happy. The situation looks like this: laptop --> sparcstation --> main router (openbsd) --> entireweb There are four other machines plugged into the main router besides the sparc, all of which have a happy NATing experience. The laptop behind the sparc is sadly not so lucky. Here's the (very basic) pf.conf for the sparc: ---------pf.conf begins here--------- # $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if="le0" all_int="hme0 hme1 hme2 hme3" tcp_services="{ 22, 113 }" # per instructions on http://www.openbsd.org/faq/pf/example1.html icmp_types="echoreq" set block-policy return # what should we do with packets destined for blocked ports? set loginterface $ext_if #table <spamd> persist #table <spamd-white> persist set skip on lo scrub in #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" nat on $ext_if from !($ext_if) -> ($ext_if:0) #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 #rdr pass on $ext_if proto tcp from <spamd> to port smtp \ # -> 127.0.0.1 port spamd #rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \ # -> 127.0.0.1 port spamd block in pass out keep state #anchor "ftp-proxy/*" pass quick on $all_int antispoof quick for { lo $all_int } pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state #pass in on $ext_if proto tcp to ($ext_if) port ssh keep state #pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state #pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state ---------pf.conf ends here--------- Other notes: * I've got dnsmasq as my dhcp server (the laptop does successfully get an address). * I've got something very close to this on the main router. Some similar lines: ---------some pf.conf lines from main router begin here--------- set block-policy return # what should we do with packets destined for blocked ports? set loginterface $ext_if set skip on { lo $int_if } scrub in nat on $ext_if from !($ext_if) -> ($ext_if:0) block in pass out keep state antispoof quick for { lo $int_if } ---------some pf.conf lines from main router end here--------- TIA for any and all help. -- Cristobal M. Palmer UNC-CH SILS Student TriLUG Vice Chair [EMAIL PROTECTED] [EMAIL PROTECTED] ils.unc.edu/~cmpalmer "Television-free since 2003" <tarheelcoxn> iank has trouble with English. his native language is Python <iank> Yeah <iank> I'm forced <iank> To indent <iank> My sentences --------------------------------- Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2ยข/min or less. -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
-- Cristobal M. Palmer UNC-CH SILS Student TriLUG Vice Chair [EMAIL PROTECTED] [EMAIL PROTECTED] ils.unc.edu/~cmpalmer "Television-free since 2003" <tarheelcoxn> iank has trouble with English. his native language is Python <iank> Yeah <iank> I'm forced <iank> To indent <iank> My sentences
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
