Help needed with understanding PF rules

[sparky]

Hi,

I've created a router/NAT combo in OpenBSD 5.0 RELEASE and am trying to access outside of the NAT.

However, I seem to be running into issues regarding the blocking of packets??


This is what I'm basing my PF rules on:

http://www.openbsd.org/faq/pf/nat.html

http://www.openbsd.org/faq/pf/example1.html

and here is my pf.conf file:

Code:

#macros

int_if="em1"

tcp_services="{ 22 }"
icmp_types="echoreq"

imap_box="10.0.0.9"
http_box="10.0.0.8"

#options

set block-policy return
set loginterface em0
set skip on "{ lo, em1 }"

# HTTP Proxy rules

#anchor "http-proxy/*"

#pass in quick on $int_if inet proto tcp to any port http \
#    divert-to 172.16.8.40 port 3128 



#match rules

#match out on egress inet from !(egress) to any nat-to (egress:0)

match out on em1 from 10.0.0.0/24 to any nat-to 172.16.8.13

#filter rules

block in log
pass out quick
pass out quick on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 
#pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13

antispoof quick for { lo }

pass in quick on egress inet proto tcp from any to (egress) port $tcp_services

#pass in quick on egress inet proto tcp to (egress) port 143 rdr-to $imap_box synproxy state 
pass in quick on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state
pass in quick on em1 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass in out on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass  on em0 from any to $imap_box binat-to em0 
pass  on em1 from $imap_box to any binat-to em0


pass in quick on egress inet proto tcp to (egress) port 80 rdr-to $http_box synproxy state

block in on egress inet proto icmp all icmp-type $icmp_types

pass in quick on $int_if

#pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13

which is quite a mess as I'm struggling to understand the mentality or how PF works! I think it's because am used to Cisco's IOS that the order of things seem to be reversed with PF or function a little differently??


I have managed to gain access to the IMAP server running behind the router/NAT from outside (inside the production network) however, the systems behind the router/NAT don't seem to able to access anything outside...... as I'm trying to update the ports tree using FreeBSD but it cops out using FTP.


I am testing with:

Code:

pfctl -sr
pfctl -ss
tcpdump -eni pflog0

I don't seem to be able to see anything wrong however, can anyone help me out?


Regards!