DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th March 2015
benky benky is offline
Port Guard
 
Join Date: Dec 2014
Location: Croatia
Posts: 14
Default configuring NAT in PF?

I have similar situation like this.
Here is my vmware lab:

OpenBSD as firewall
vic0 {192.168.1.246/24 bridged adapter so I have access to Internet 192.168.1.1} vic1{10.0.0.10/24}
Ubuntu and others hosts in 10.0.0.0/24
I want to give Ubuntu and others except one host access to Internet through OpenBSD and this is where I have problem. I don't know how to NAT this thing. I tried many rules but obviously none of them work. Forwarding is set to 1 in systcl.conf
Here is example of rule I am trying:

match out on vic0 from vic1:network to vic0 nat-to vic0
pass out on vic1 from vic0 to vic1:network

thank you
Reply With Quote
  #2   (View Single Post)  
Old 20th March 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,292
Default

Your match rule appears correct to me, benky. It translates outbound traffic from the vic1 network that transits vic0.

The pass rule appears to be incorrect, but I cannot be certain because these two rules are unlikely to be the only rules in your pf.conf file. But, let's look at this one rule. It's very easy to be confused by the in, out, from, to, and on filtering options. Specifically, this rule will only pass traffic out, which means from the OpenBSD system outward onto vic1, any traffic that originates from the address assigned to vic0: 192.168.1.246. That is never going to be Internet traffic.

NAT traffic must originate from the 10.0.0/24 network on vic1, not from the Internet, unless you pre-configure port forwarding for established, "listening" services on the 10.0.0.0/24 network. That network will share the OpenBSD system's egress IP address. PF (or any other NAT router) tracks state when the NATted devices initiate connections, , in order to route return traffic to the correct device.

A better rule passes traffic coming from the vic1 network destined outbound; return traffic will be passed based on state rules established when the connections are requested.

pass from vic1:network to any

Disclaimer: the syntax may not be correct; I don't have an OpenBSD system to test it at this moment.
Reply With Quote
  #3   (View Single Post)  
Old 20th March 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,295
Default

This thread has been separated from its parent thread:

http://daemonforums.org/showthread.php?t=8971

While both threads ask questions about configuring NAT within pf(4), it is not at this point in either thread whether the problems encountered in both situations are the same.

We ask members to honor the direction of the initial post in any thread. Technical discussion has enough challenges without adding extraneous or different issues.

We encourage discussion at this site, but we also ask that side discussions be started in new threads. Beginning new threads is easy.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring PF for NAT nekoneko OpenBSD Security 7 13th August 2012 04:36 PM
Configuring X with 9800gt fails. Daffy OpenBSD General 8 27th February 2012 02:21 PM
configuring second NIC tomp OpenBSD Installation and Upgrading 19 15th August 2011 07:25 PM
Help configuring pine cssgalactic FreeBSD General 4 29th June 2008 11:50 PM
Need Help Configuring Postfix iainnitro General software and network 6 8th June 2008 04:55 AM


All times are GMT. The time now is 12:03 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick