DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th August 2009
slakic slakic is offline
New User
 
Join Date: Aug 2009
Posts: 1
Default PF Configuration for newbie

Hi all,
I am Unix newbie, and recently i've set up a OpenBSD box to route between my two subnets. The problem is, I never managed to make it work.

I've enabled ip forwarding, and turned pf on, and made some rules in my pf.conf, but packets simply won't route.

Here's my ifconfig

Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:50:ba:3e:7b:b9
        priority: 0
        media: Ethernet autoselect (none)
        status: no carrier
        inet 192.168.4.1 netmask 0xffffff00 broadcast 192.168.4.255
        inet6 fe80::250:baff:fe3e:7bb9%rl0 prefixlen 64 scopeid 0x1
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:05:5d:fc:c8:8a
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.100.15 netmask 0xffffff00 broadcast 192.168.100.255
        inet6 fe80::205:5dff:fefc:c88a%vr0 prefixlen 64 scopeid 0x2
enc0: flags=0<> mtu 1536
        priority: 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33204
        priority: 0
        groups: pflog
and my rules

Code:
# pfctl -sn
nat on rl0 inet from 192.168.100.0/24 to any -> 192.168.4.1
nat on vr0 inet from 192.168.4.0/24 to any -> 192.168.100.15
# pfctl -sr
scrub in all fragment reassemble
pass in all flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass out inet proto icmp all icmp-type echoreq keep state
block drop in on ! lo0 proto tcp from any to any port = 6000
could someone please give me a hint, what ma I doing wrong!

Cheers

Last edited by Carpetsmoker; 20th August 2009 at 08:41 PM. Reason: Add [code] tags for the sake of readability.
Reply With Quote
  #2   (View Single Post)  
Old 20th August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Problem #1: Your rl0 link (192.168.4/24) is non-operational. No bits flowing = no data routed. You must fix this physical problem before you can use OpenBSD as a router:
Code:
rl0: ...         status: no carrier
Problem #2 may or may not be a problem. But it certainly is confusing:
Code:
# pfctl -sn
nat on rl0 inet from 192.168.100.0/24 to any -> 192.168.4.1
nat on vr0 inet from 192.168.4.0/24 to any -> 192.168.100.15
I do not understand your network configuration: You are using NAT for two distinct RFC 1918 (private, not-on-the-Internet) subnetworks ... NAT should be entirely unnecessary with that type of internal LAN subnet routing. NAT should only be necessary when you need address translation, such as when putting your large internal network onto the Internet through a small number of IP addresses, or even a single IP address.

Next time, please wrap configuration and other information in [code] tags. It will make your messages much more readable. Thank you.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Newbie kernel question sbonar Programming 11 17th August 2009 11:40 PM
k3b, configuration. maxrussell FreeBSD Ports and Packages 4 3rd March 2009 04:23 AM
What makes a perfect newbie? jggimi Feedback and Suggestions 32 19th October 2008 02:58 AM
FreeBSD 7.0, tightvnc and jdk16 - newbie master-richie FreeBSD Ports and Packages 5 9th July 2008 04:45 PM
Newbie NAT problem TiN-MAN FreeBSD Installation and Upgrading 2 26th June 2008 06:42 AM


All times are GMT. The time now is 06:19 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick