|
|||
Help with PF NAT configuration
Hello all, I am replacing a Cisco ASA with an OpenBSD PF NAT box for a couple of reasons: I'm tired of paying Cisco money just to receive updates, tired of the license limits and the device is about six years old.
So I have an atom server with three interfaces one for public/dmz/internal. The current config with the ASA is the following: external (fxp1) --->Firewall ---> DMZ (192.168.100.0/24) (fxp0) --->Inetrnal (192.168.200.0/24) (re0). I don't really want to re-IP the nodes in the DMZ so if possible I'd like to keep everything the same. I've purchased the book of PF version 2 but still need some assistance. Here is my pf.conf: Code:
#MACROS _int="re0" lan="re0:network" _dmz="fxp0" dmz="192.168.100.0/24" mailserver="192.168.100.2" ftpwebserver="192.168.100.1" RFC1918="{ 10/8 172.16/12 192.168/16 }" #TABLES #OPTIONS set skip on lo set block-policy drop #NORMALIZE TRAFFIC match in all scrub ( no-df max-mss 1440 ) #NAT match out on egress from $lan to any nat-to egress match out on egress from $dmz to any nat-to egress #REDIRECTIONS match in on egress inet proto tcp from any to any port 25 \ rdr-to $mailserver match in on egress inet proto tcp from any to any port 110 \ rdr-to $mailserver match in on egress inet proto tcp from any to any port 587 \ rdr-to $mailserver match in on egress inet proto tcp from any to any port 465 \ rdr-to $mailserver match in on egress inet proto tcp from any to any port 25 \ rdr-to $mailserver match in on egress inet proto tcp from any to any port 995 \ rdr-to $mailserver match in on egress inet proto tcp from any to any port 443 \ rdr-to $mailserver match in on egress inet proto tcp from any to any port 110 \ rdr-to $mailserver match in on egress inet proto tcp from any to any port 80 \ rdr-to $ftpwebserver #BLOCK POLICY block log all #PROTECTION antispoof for { lo0 re0 fxp0 fxp1 } block in on egress from $RFC1918 to any block out on egress from any to $RFC1918 #AUTHORIZE PINGS pass inet proto icmp all icmp-type { echoreq, unreach } #FORWARDING OUT pass out on egress inet proto tcp from any to any pass out on egress inet proto udp from any to any #LAN SERVICES anchor "ftp-proxy/*" pass in on $_int proto tcp from any to any port ftp \ rdr-to 127.0.0.1 port 8021 #AUTHORIZED SERVICES pass in on $_int proto tcp from $lan to any port \ { 80 22 3000 4567 443 53 69 } pass in quick on $_int proto udp from $lan to any port { domain 69 } #CONSOLE ACCESS #pass in on egress proto tcp from any to egress port 22 #DMZ SERVICES pass in on egress proto tcp from any to $mailserver port \ { 25 110 443 587 465 995 } pass out on $_dmz proto tcp from any to $mailserver port \ { 25 110 443 587 465 995 } pass in on $_dmz proto tcp from $mailserver to any port \ { 25 110 587 465 995 } #ACCESS WEB SERVICES pass in on egress inet proto tcp from any to $ftpwebserver port 80 pass out on $_int inet proto tcp from any to $ftpwebserver port 80 basically I want the internal network to be able to access the DMZ but obviously not the other way around. I'm having some issues with that part. Last edited by ocicat; 1st November 2011 at 05:05 PM. Reason: Please use [code] & [/code] tags when posting command output. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
router configuration !! | wlm2 | OpenBSD General | 1 | 11th July 2011 01:51 PM |
PF NAT configuration help | ikevinjpdev | OpenBSD Security | 0 | 7th August 2010 04:41 PM |
PF Configuration for newbie | slakic | OpenBSD Security | 1 | 20th August 2009 02:35 PM |
ssh and PuTTY Configuration | rtwingfield | FreeBSD Security | 4 | 8th June 2009 09:55 PM |
k3b, configuration. | maxrussell | FreeBSD Ports and Packages | 4 | 3rd March 2009 04:23 AM |