|
|||
NAT on PF openbsd 5.4
Already read the documentation contained in the pf version 5.4 of openbsd but still not clear to me why it is necessary to use match out and pass out to create a NAT rule.
Could someone explain better, please? Thanks! |
|
|||
In the following snippet, the match rule dictates that every packet passing out through the external or egress interface will undergo Network Address Translation.
Code:
match out inet from ! (egress) to any nat-to (egress) block log all pass out quick on egress inet proto udp from any to any port = 53 pass out quick on egress inet proto tcp from any to any port = 53 pass out quick on egress inet proto tcp from any to any port = 80 Once they are are allowed to pass, the match rule kicks in and does the NAT. BTW have you seen http://www.openbsd.org/faq/pf/nat.html ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
For example, I have two servers in a DMZ that need to go out to the internet and the old version do 1:1 NAT, so
nat on $ext_if from $srv01 to any -> $ext_if_fw nat on $ext_if from $srv05 to any -> $ext_if_fw and the internal network do nat on $ext_if from $local_network to any -> $ext_if_fw how would the new version? |
|
|||
Without knowing the network layout of your DMZ configuration it is very difficult to answer
What is the $ext_if and $ext_if_fw? Which one is connected to the Internet and which one to the DMZ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
The nat on rules can be converted directly into match rules, as outlined in the pf(4) NAT syntax change section of the OpenBSD 4.7 Upgrade Guide, which described the transition. This syntax dates from that release.
Your rules: Code:
nat on $ext_if from $srv01 to any -> $ext_if_fw nat on $ext_if from $srv05 to any -> $ext_if_fw Code:
match out on $ext_if from {$srv01 $srv05} nat-to $ext_if_fw |
|
|