DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 9th January 2009
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

Good to hear. When you have it worked out, we (and anyone who finds this thread at the end of a google search) would be interested in the solution you worked out.

(for instance, there may have been a problem with the rdr rules that I specified - I am going to try it and see later - that may prevent ssh sessions from continuing. When the local and remote machines start communication, state rules created by the nat engine would reset the 'to' address, so my rdr rules will not see the packets, because they will no longer have the to address set to ($ext_if). This means that the necessary port redirection may not take place. Or maybe pf will recognise what we are trying to do and make it just so. Perhaps this would be better:
Code:
rdr on $ext_if from any to {($ext_if), 102.168.1.101} port 1022 -> 102.168.1.101 port 22
Not that i know that it would work or not.)
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
Old 10th January 2009
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

I can't use a rdr rules as solution because I don't know specific ports need to be open; so, I decided to use an external program (upnpd) and set in its conf that upnp was abilited only for 192.168.1.0/24 subnet. That resolved my problem, but I know it isn't an elegant solution. I can't do better :/
Thanks at all for helpin' me :°)
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."
Reply With Quote
Old 10th January 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,687
Thanked 214 Times in 189 Posts
Default

Sorry, we coulldn't be more help.

Cheap NAT routers have the ability to "DMZ" a single IP address on the private LAN; because the port numbers are not needed in that situation. Every incoming TCP or UDP packet that is not in the state table is simply redirected to that single IP address.

In your situation, you have a DMZ subnet. So you would need to know your ports or port ranges, to direct traffic to the appropriate device on that subnet.
Reply With Quote
Old 11th January 2009
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

Short of obtaining multiple IP addresses, that is the best you can do. NAT can work with outgoing connections, but there are no good solutions for incoming connections. Oh, and thanks - I didn't know that we had a upnp solution available. Lucky that the applications you needed were upnp-enabled.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
K3b cannot find growisofs maxrussell FreeBSD General 5 26th April 2009 12:20 PM
hahaha noob mistake, file called -z... michaelrmgreen FreeBSD General 8 9th December 2008 12:12 AM
pkg inside non-global zone? nacredata Solaris 2 30th September 2008 11:50 PM
pkg_add g95;g95 x.f95: cannot find g95 enpey OpenBSD Packages and Ports 8 27th August 2008 12:48 AM
Zone problem c0mrade General software and network 3 22nd June 2008 03:31 PM


All times are GMT. The time now is 10:20 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick