DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th February 2014
marciorufino01 marciorufino01 is offline
New User
 
Join Date: Nov 2013
Posts: 8
Thanked 0 Times in 0 Posts
Default NAT on PF openbsd 5.4

Already read the documentation contained in the pf version 5.4 of openbsd but still not clear to me why it is necessary to use match out and pass out to create a NAT rule.
Could someone explain better, please?

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 4th February 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,825
Thanked 214 Times in 189 Posts
Default

The match rule is "sticky" -- it sets options that remain in effect for any following pass or block.

For Network Address Translation, it is an easy way to apply the nat-to option to all of the subsequent pass rules which may apply to that traffic.

Traffic that is NATted must be passed, in any event, either with an explict nat-to or a nat-to included in a previous match rule.

Last edited by jggimi; 4th February 2014 at 01:44 AM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 4th February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,198
Thanked 182 Times in 149 Posts
Default

In the following snippet, the match rule dictates that every packet passing out through the external or egress interface will undergo Network Address Translation.
Code:
match out inet from ! (egress) to any nat-to (egress) 

block log all
pass out quick on egress inet proto udp from any to any port = 53
pass out quick on egress inet proto tcp from any to any port = 53
pass out quick on egress inet proto tcp from any to any port = 80
Because I have I block log all policy, I need pass rules to actually allow selected types of packets to go out.
Once they are are allowed to pass, the match rule kicks in and does the NAT.

BTW have you seen http://www.openbsd.org/faq/pf/nat.html ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 4th February 2014
marciorufino01 marciorufino01 is offline
New User
 
Join Date: Nov 2013
Posts: 8
Thanked 0 Times in 0 Posts
Default

For example, I have two servers in a DMZ that need to go out to the internet and the old version do 1:1 NAT, so

nat on $ext_if from $srv01 to any -> $ext_if_fw
nat on $ext_if from $srv05 to any -> $ext_if_fw

and the internal network do

nat on $ext_if from $local_network to any -> $ext_if_fw

how would the new version?
Reply With Quote
  #5   (View Single Post)  
Old 4th February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,198
Thanked 182 Times in 149 Posts
Default

Without knowing the network layout of your DMZ configuration it is very difficult to answer

What is the $ext_if and $ext_if_fw? Which one is connected to the Internet and which one to the DMZ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 4th February 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,825
Thanked 214 Times in 189 Posts
Default

The nat on rules can be converted directly into match rules, as outlined in the pf(4) NAT syntax change section of the OpenBSD 4.7 Upgrade Guide, which described the transition. This syntax dates from that release.

Your rules:
Code:
nat on $ext_if from $srv01 to any -> $ext_if_fw
nat on $ext_if from $srv05 to any -> $ext_if_fw
are likely to translate directly to:
Code:
match out on $ext_if from {$srv01 $srv05} nat-to $ext_if_fw
I say likely because as J65nko has pointed out, you have only shared a fragment of your ruleset, and your variables are unknowns. My proposed syntax will apply nat-to to later pass rules that apply.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:04 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick