DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th August 2012
imnoboist imnoboist is offline
New User
 
Join Date: Aug 2012
Posts: 4
Default OpenBSD pf NAT question

I'm confused about how NAT is working. I currently have the following line:
match out on $ext_if from !(egress:network) to any nat-to $default_out

Which works. $default_out is one of the static IP addresses assigned to $ext_if.

However, I have certain systems that I want to go out of a different IP address (I have five statics). I tried this:
match out on $ext_if from 172.16.111.1 to any nat-to $static2

where $static2 is a different static address. After loading the ruleset, when I browse with 172.16.111.1, when I google "ip" it shows the address from $default_out.

I've tried adding the quick keyword to the $static2 NAT and moving it above the $default_out NAT but no beans.

Why isn't this working?

Is there another way I can NAT specific internal addresses to external addresses other than $default_out?

TIA
Reply With Quote
  #2   (View Single Post)  
Old 6th August 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by imnoboist View Post
I'm confused about how NAT is working.
Welcome!

It would help if the following would be provided:

$ sysctl kern.version

...as there is no information about what version of OpenBSD is used. pf(4) has gone through significant changes in the last several releases, so knowing what version you are using is important.
Reply With Quote
  #3   (View Single Post)  
Old 6th August 2012
imnoboist imnoboist is offline
New User
 
Join Date: Aug 2012
Posts: 4
Default

You got it:

# sysctl kern.version
kern.version=OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012
deraadt@amd64.openbsd.org:/usr/src/s...ile/GENERIC.MP
Reply With Quote
  #4   (View Single Post)  
Old 6th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I will hazard a guess that it is the use of match that is the problem. From pf.conf(5):
Code:
     match
           The packet is matched.  This mechanism is used to provide fine
           grained filtering without altering the block/pass state of a
           packet.  match rules differ from block and pass rules in that
           parameters are set every time a packet matches the rule, not only
           on the last matching rule.  For the following parameters, this
           means that the parameter effectively becomes ``sticky'' until
           explicitly overridden: nat-to, binat-to, rdr-to, queue, rtable, and
           scrub.
It is on pass where you can apply last-matching-rule-wins.
Reply With Quote
  #5   (View Single Post)  
Old 6th August 2012
imnoboist imnoboist is offline
New User
 
Join Date: Aug 2012
Posts: 4
Default

I'm not sure I understand. Are you saying I need to use pass rules instead of match?
Reply With Quote
  #6   (View Single Post)  
Old 6th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Yes, if I've understood the problem correctly. Let's see if I understand:
  • You wish to have a general-case NAT rule in place for $default_out. If so, leave that match rule as-is.
  • For specific traffic you wish to use other translated addresses, such as $static2. If so, for that traffic, do not use a match rule. Instead, use nat-to on the specific pass rules. From the NAT chapter of the PF User's Guide (highlight mine):
Code:
pass
    This rule allows the packet to be transmitted. If the packet was
    previously matched by a match rule where parameters were specified,
    they will be applied to this packet.  pass rules may have their own
    parameters; these take priority over parameters specified in a 
    match rule.
Reply With Quote
  #7   (View Single Post)  
Old 6th August 2012
imnoboist imnoboist is offline
New User
 
Join Date: Aug 2012
Posts: 4
Default

That did it! pass rule worked! Thanks!
Reply With Quote
  #8   (View Single Post)  
Old 6th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Great! Thank you for letting us know!

(This was a SWAG on my part as I've not had a need for this capability. Correct documentation really helps.)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD Packages question shep OpenBSD Packages and Ports 4 9th March 2011 03:27 AM
Question about installing OpenBSD as Firewall afcelie OpenBSD Installation and Upgrading 12 3rd January 2011 09:18 PM
OpenBSD release to -current: Xenocara question IronForge OpenBSD Installation and Upgrading 4 1st September 2009 05:44 PM
Enlightenment e17 on OpenBSD (Question about current ports) uptonm OpenBSD Packages and Ports 2 17th June 2009 09:12 PM
external drive partition question + fdisk question gosha OpenBSD General 15 15th June 2009 02:00 PM


All times are GMT. The time now is 05:08 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick