Hi,
I've created a router/NAT combo in OpenBSD 5.0 RELEASE and am trying to access outside of the NAT.
However, I seem to be running into issues regarding the blocking of packets??
This is what I'm basing my PF rules on:
http://www.openbsd.org/faq/pf/nat.html
http://www.openbsd.org/faq/pf/example1.html
and here is my pf.conf file:
Code:
#macros
int_if="em1"
tcp_services="{ 22 }"
icmp_types="echoreq"
imap_box="10.0.0.9"
http_box="10.0.0.8"
#options
set block-policy return
set loginterface em0
set skip on "{ lo, em1 }"
# HTTP Proxy rules
#anchor "http-proxy/*"
#pass in quick on $int_if inet proto tcp to any port http \
# divert-to 172.16.8.40 port 3128
#match rules
#match out on egress inet from !(egress) to any nat-to (egress:0)
match out on em1 from 10.0.0.0/24 to any nat-to 172.16.8.13
#filter rules
block in log
pass out quick
pass out quick on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13
#pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13
antispoof quick for { lo }
pass in quick on egress inet proto tcp from any to (egress) port $tcp_services
#pass in quick on egress inet proto tcp to (egress) port 143 rdr-to $imap_box synproxy state
pass in quick on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state
pass in quick on em1 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass in out on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass on em0 from any to $imap_box binat-to em0
pass on em1 from $imap_box to any binat-to em0
pass in quick on egress inet proto tcp to (egress) port 80 rdr-to $http_box synproxy state
block in on egress inet proto icmp all icmp-type $icmp_types
pass in quick on $int_if
#pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13
which is quite a mess as I'm struggling to understand the mentality or how PF works! I think it's because am used to Cisco's IOS that the order of things seem to be reversed with PF or function a little differently??
I have managed to gain access to the IMAP server running behind the router/NAT from outside (inside the production network) however, the systems behind the router/NAT don't seem to able to access anything outside...... as I'm trying to update the ports tree using FreeBSD but it cops out using FTP.
I am testing with:
Code:
pfctl -sr
pfctl -ss
tcpdump -eni pflog0
I don't seem to be able to see anything wrong however, can anyone help me out?
Regards!