View Single Post
  #1   (View Single Post)  
Old 20th August 2009
slakic slakic is offline
New User
 
Join Date: Aug 2009
Posts: 1
Default PF Configuration for newbie

Hi all,
I am Unix newbie, and recently i've set up a OpenBSD box to route between my two subnets. The problem is, I never managed to make it work.

I've enabled ip forwarding, and turned pf on, and made some rules in my pf.conf, but packets simply won't route.

Here's my ifconfig

Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:50:ba:3e:7b:b9
        priority: 0
        media: Ethernet autoselect (none)
        status: no carrier
        inet 192.168.4.1 netmask 0xffffff00 broadcast 192.168.4.255
        inet6 fe80::250:baff:fe3e:7bb9%rl0 prefixlen 64 scopeid 0x1
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:05:5d:fc:c8:8a
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.100.15 netmask 0xffffff00 broadcast 192.168.100.255
        inet6 fe80::205:5dff:fefc:c88a%vr0 prefixlen 64 scopeid 0x2
enc0: flags=0<> mtu 1536
        priority: 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33204
        priority: 0
        groups: pflog
and my rules

Code:
# pfctl -sn
nat on rl0 inet from 192.168.100.0/24 to any -> 192.168.4.1
nat on vr0 inet from 192.168.4.0/24 to any -> 192.168.100.15
# pfctl -sr
scrub in all fragment reassemble
pass in all flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass out inet proto icmp all icmp-type echoreq keep state
block drop in on ! lo0 proto tcp from any to any port = 6000
could someone please give me a hint, what ma I doing wrong!

Cheers

Last edited by Carpetsmoker; 20th August 2009 at 08:41 PM. Reason: Add [code] tags for the sake of readability.
Reply With Quote