DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th February 2018
mbzadegan mbzadegan is offline
Port Guard
 
Join Date: Feb 2014
Posts: 25
Question Simple PF commands for IP_Forwarding

Hi all,
I want to forward all network packets between both interfaces (em0,em1).
BTW, I set net.inet.ip.forwarding=1 but still need some PF commands to allow between interfaces.
Reply With Quote
  #2   (View Single Post)  
Old 5th February 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by mbzadegan View Post
Hi all,
I want to forward all network packets between both interfaces (em0,em1).
This is called "routing" packets, and this is what a router does.

To route packets between two network interfaces, on OpenBSD they must attach to different networks -- their address ranges cannot overlap.

In its simplest form:

[Network A] - [router] - [Network B]

But most implementations aren't that simple. There are often Internet connections needed, and a default route must be provisioned. These are often called gateway routers.

[Network A] - [gateway router] - [the Internet]

And there are intermediate routers, often used in a DMZ. Here is a simple example:

[Network A] - [router] - [Network B] - [gateway router] - Internet

And then there is Network Address Translation (NAT), which is used to translate addresses as they transit a router. The most common use is for private networks to attach to the Internet, and share one or more Internet-facing IP addresses.
Quote:
BTW, I set net.inet.ip.forwarding=1 but still need some PF commands to allow between interfaces.
You have not provided enough information for me to respond with a detailed reply. Here is general guidance:
  • PF is designed to be pass-by-default. It will pass traffic unless explicitly provisioned to block.
  • PF is required to provision NAT on OpenBSD. If your network architecture requires NAT, you will need to provision it with a PF rule.
If you want better guidance, provide a clearer picture of your intended network design.

Last edited by jggimi; 5th February 2018 at 11:23 PM. Reason: typos
Reply With Quote
  #3   (View Single Post)  
Old 6th February 2018
mbzadegan mbzadegan is offline
Port Guard
 
Join Date: Feb 2014
Posts: 25
Default

Thanks for your excellent consideration
My Network picture is [ https://photos.app.goo.gl/qSuwibs5AlC4hIJE3 ]
I want to connect to the Internet through the OpenBSD without any firewall rule.
My PC Gw: 192.168.111.1
And I set net.inet.ip.forwarding=1 on OpenBSD.

Last edited by mbzadegan; 6th February 2018 at 10:59 AM.
Reply With Quote
  #4   (View Single Post)  
Old 6th February 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Thank you. Your ADSL modem is a NAT router, and you have two private networks, which I assume are both /24 networks. You need to add a route to the second private network to your ADSL modem's network configuration.

Your ADSL modem knows only about the first private network (192.168.30.0/24) as it is directly connected. But the modem has no knowledge of the second private network (192.168.111.0/24) unless you provide it.

You should provision the ADSL modem by adding a route to the second network (192.168.111.0/24) that it does not directly connect with, pointing it to the OpenBSD router's address (192.168.30.110) on the directly connected network.
Reply With Quote
  #5   (View Single Post)  
Old 6th February 2018
mbzadegan mbzadegan is offline
Port Guard
 
Join Date: Feb 2014
Posts: 25
Question

Aha, OK.
But How can I resolve my problem If I don't access to my ADSL Modem console?
Is that possible to config my OpenBSD as a NAT Device?
What PF commands is need by pf.conf?

Last edited by mbzadegan; 6th February 2018 at 11:46 AM.
Reply With Quote
  #6   (View Single Post)  
Old 6th February 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If you are unable to provision the ADSL modem, you must make the OpenBSD router into a NAT router. In this way, OpenBSD will translate the addresses for all traffic routed to and from the second network. This is done with the nat-to directive in PF, as described in the Network Address Translation chapter of the PF Users' Guide.

When you have NAT routers linked together -- "double NAT" -- this can cause problems for some protocols.

Something like this might work:
Code:
pass out on em0 inet from em1:network to any nat-to (em0)
Reply With Quote
  #7   (View Single Post)  
Old 6th February 2018
mbzadegan mbzadegan is offline
Port Guard
 
Join Date: Feb 2014
Posts: 25
Default

Thanks very much!
Your Command resolves my issue.
Now, I installed openconnect client on my OpenBSD and run it without any error. If I want to redirect all of my PC traffic through it, I must change above 2 em0 interface to tun0 in your pf code?

Last edited by mbzadegan; 6th February 2018 at 12:17 PM.
Reply With Quote
  #8   (View Single Post)  
Old 6th February 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I've never used OpenConnect, and will leave any provisioning advice for it to someone else.
Reply With Quote
  #9   (View Single Post)  
Old 6th February 2018
mbzadegan mbzadegan is offline
Port Guard
 
Join Date: Feb 2014
Posts: 25
Default

OK, Thank you very much, You resolved my Problem excellent.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Writing a simple script to edit text files and execute commands guitarscn Programming 11 24th August 2010 09:21 PM
execute commands from xinitrc rex FreeBSD General 3 22nd October 2008 10:24 PM
No DRI + GLX commands? Hrr4 FreeBSD General 5 21st September 2008 10:05 AM
FreeBSD Administration Commands corey_james FreeBSD General 13 10th June 2008 08:44 PM
Cisco IOS commands ?? jb_daefo Off-Topic 7 5th June 2008 01:53 AM


All times are GMT. The time now is 08:39 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick