DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th December 2010
Monkey Monkey is offline
New User
 
Join Date: Dec 2009
Posts: 7
Unhappy Help with OpenBSD 4.8 and NAT

Hi everybody,

I decided to upgrade my Openbsd 4.5 to 4.8, I use it only to split my internet connection using NAT. In 4.5 everything is working fine, but in version 4.8 they changed the syntax for the NAT rules in pf.conf. Here is my working 4.5 pf.conf:

Code:
# cat pf.conf

int_if="hme0"
ext_if="pppoe0"

set block-policy return
set loginterface $ext_if

set skip on lo

match on pppoe0 scrub (max-mss 1440)

nat on $ext_if from !($ext_if) to any -> ($ext_if)
I read the man pages for pf.conf and accordingly converted my ruleset to:

Code:
ext_if="pppoe0"
int_if="xl1"

set block-policy return
set loginterface $ext_if

set skip on lo

match on pppoe0 scrub (max-mss 1440)

match out on $ext_if from !($ext_if) nat-to ($ext_if)
But when I try go access the internet from another computer it doesn't work... I tried a few variant of the NAT rule and none of them worked, I also tried them on OpenBSD 4.7 and 4.8, it didn't worked in either version... Anybody have an idea of what might be the problem?

Thanks in advance
Reply With Quote
  #2   (View Single Post)  
Old 6th December 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Just a guess, since your match rule looks fine. I could be wrong.

You reinstalled, rather than upgraded, and forgot to forward IP packets.
Reply With Quote
  #3   (View Single Post)  
Old 6th December 2010
Monkey Monkey is offline
New User
 
Join Date: Dec 2009
Posts: 7
Default

Quote:
Originally Posted by jggimi View Post
Just a guess, since your match rule looks fine. I could be wrong.

You reinstalled, rather than upgraded, and forgot to forward IP packets.
Hi,

I reinstalled but I did think to activate IP forwarding in sysctl.conf.
Also I forgot to say the pppoe internet connection is working on the firewall computer, so the problem is probably pf-related...
Reply With Quote
  #4   (View Single Post)  
Old 6th December 2010
thirdm thirdm is offline
Spam Deminer
 
Join Date: May 2009
Posts: 248
Default

What if you add "to any" after the from clause and before nat-to. Looking at the grammar in the man page, it doesn't look optional.
Reply With Quote
  #5   (View Single Post)  
Old 6th December 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

In one of those examples, you define $int_if as hme0 but in the other it's xl1.

Other than that, consider adding another pass rule.. or changing the match rule to a pass.

pass out on $ext_if from !($ext_if) to any nat-to ($ext_if)

...or match+pass:
match out on $ext_if from !($ext_if) to any nat-to ($ext_if)
pass out on $ext_if all

Good luck.
Reply With Quote
  #6   (View Single Post)  
Old 6th December 2010
Monkey Monkey is offline
New User
 
Join Date: Dec 2009
Posts: 7
Default

Quote:
Originally Posted by BSDfan666 View Post
In one of those examples, you define $int_if as hme0 but in the other it's xl1.

Other than that, consider adding another pass rule.. or changing the match rule to a pass.

pass out on $ext_if from !($ext_if) to any nat-to ($ext_if)

...or match+pass:
match out on $ext_if from !($ext_if) to any nat-to ($ext_if)
pass out on $ext_if all

Good luck.
I don't know why but I tried that rule and it worked:

Code:
pass out on $ext_if from !($ext_if) to any nat-to ($ext_if)
Thanks a lot for the help!
Now I will try to add security rules to block access from the outside..
I'm a newbie so it won't be easy...
Reply With Quote
  #7   (View Single Post)  
Old 6th December 2010
thirdm thirdm is offline
Spam Deminer
 
Join Date: May 2009
Posts: 248
Default

For we casual pf users, could someone explain why this worked for him?

Was it the addition of "to any" or was it that having an explicit pass rule was necessary for the nat-to property of the match rule to be used? So if you have match rules adding one of these properties (making them sticky as the man page puts it) for later pass rules, they do not get applied if you fall through to the default pass rule? Or is it that the default pass rule is effectively a prior rule, so match rules don't apply to it because the match conceptually comes after the unwritten default rule?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:56 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick