DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th January 2013
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 105
Thanked 0 Times in 0 Posts
Default Giving Two Seperate Networks Internet With PF

Hello again.

I have two networks that I am trying to keep separate but allow internet access to each.

Code:
EXT="pppoe0"
INT1="re1"
INT2="re2"

INT_NET1= "{ 192.168.0.2, 192.168.0.3 }"
INT_NET2= "{ 10.0.0.2, 10.0.0.3 }"

block log all
set block-policy drop

match log on pppoe0 scrub (reassemble tcp max-mss 1440) 

nat on $EXT from $INT_NET1 -> ($EXT:0)
nat on $EXT from $INT_NET2 -> ($EXT:0)

pass out on $EXT inet from any to any
pass in on $INT inet from $INT_NET1 to any
pass in on $INT inet from $INT_NET2 to any
hostname.re1
Code:
inet 192.168.0.1 255.255.255.0
hostname.re2
Code:
inet 10.0.0.1 255.0.0.0

Traffic coming from INT_NET1 can get to the internet but traffic on INT_NET2 cannot.

This seems very simple and like it shoudl work, what am I doing wrong (and thanks in advance)
Reply With Quote
  #2   (View Single Post)  
Old 19th January 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,142
Thanked 182 Times in 149 Posts
Default

I don't use PPPoE but to do NAT I have this in my pf.conf

Code:
# ---- external/egress interface
match out inet from ! egress to any  nat-to (egress)
If it still does not work please provide the output (on the pf box) of # ifconfig -A and # netstat -rn -f inet
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 21st January 2013
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 105
Thanked 0 Times in 0 Posts
Default

I went ahead and upgraded to 5.2, then i added the egress nat line you suggested and it now works. Thanks!

One more question though, I want to keep INT1="re1" and INT2="re2" from any form of communication with each other. Do I need to add any blocks for that or is it good as is?
Reply With Quote
  #4   (View Single Post)  
Old 21st January 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,142
Thanked 182 Times in 149 Posts
Default

You have a default policy of block log all so as far as I can see you don't need any additional blocking rules.

You can verify this by running tcpdump on the pflog0 device and then for example do a ping from a a host on the INT1 net to one on the INT2 network.. The ping attempt should be blocked and show up in the tcpdump output.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Introduction to TCP/IP networks jggimi Guides 18 7th September 2012 12:37 PM
How secure are wireless home networks? JMJ_coder General software and network 37 18th April 2011 04:04 PM
The unknown /etc/networks file J65nko Guides 5 22nd January 2010 03:38 AM
CodeWeavers giving away all software Tuesday Oct 28th fast_replies Off-Topic 9 30th October 2008 12:14 AM
DMZ for two networks users... maurobottone OpenBSD Security 6 2nd June 2008 02:57 PM


All times are GMT. The time now is 05:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick