DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th September 2013
flit flit is offline
New User
 
Join Date: May 2013
Posts: 8
Thanked 0 Times in 0 Posts
Default pf NAT rule isn't working

Hi all,

I am running OpenBSD 5.1 in VMWare, I am using it as a firewall with 2
interfaces, and I am using the rule:
pass out on vic0 from 192.168.0.0/24 to any nat-to 192.168.101.8

to allow NAT but it is not working, because when I ping host A from host B which is behind the firewall I can still see the real IP address of host B in host A, it is not being translated to 192.168.101.8.

vic0 = 192.168.101.8
vic1 = 192.168.0.8

host A --> vic0 [OpenBSD] vic1 --> host B

Can anybody help me fix this issue?

Thanks in advance.
Reply With Quote
  #2   (View Single Post)  
Old 29th September 2013
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 322
Thanked 9 Times in 9 Posts
Default

What about:

pass out on vic0 from 192.168.0.0/24 to any nat-to (vic0)

?
__________________
Linux Admin by Profession. OpenBSD user by choice.

Last edited by rocket357; 29th September 2013 at 06:16 AM. Reason: typo...whoops!
Reply With Quote
  #3   (View Single Post)  
Old 29th September 2013
flit flit is offline
New User
 
Join Date: May 2013
Posts: 8
Thanked 0 Times in 0 Posts
Default

I tried that and that doesn't work either
Reply With Quote
  #4   (View Single Post)  
Old 29th September 2013
flit flit is offline
New User
 
Join Date: May 2013
Posts: 8
Thanked 0 Times in 0 Posts
Default

Does anybody know if I had to configure OpenBSD in some way to allow NAT to
work or is that the only rule I had to use?

Is there a place in my pf.conf that this rule should be or could it by anywhere?
Reply With Quote
  #5   (View Single Post)  
Old 29th September 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

I use this on my OpenBSD firewall:
Code:
# ---- external/egress interface
match out inet from ! egress to any  nat-to (egress)
If this still does not work in your case, please post the output of :
  • # ifconfig vic0
  • # ifconfig vic1
  • # sysctl net.inet.ip.forwarding
  • # netstat -rn -f inet.
  • # pfctl -vvsr
  • # pfctl -s info
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 29th September 2013
flit flit is offline
New User
 
Join Date: May 2013
Posts: 8
Thanked 0 Times in 0 Posts
Default

Code:
 
vic0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
	lladdr 00:0c:29:f1:fe:13
	priority: 0
	groups: egress
	media: Ethernet autoselect
	status: active
	inet 192.168.101.8 netmask 0xffffff00 broadcast 192.168.101.255


vic1: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
	lladdr 00:0c:29:f1:fe:1d
	priority: 0
	media: Ethernet autoselect
	status: active
	inet 192.168.0.8 netmask 0xffffff00 broadcast 192.168.0.255


net.inet.ip.forwarding=1


Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            192.168.101.69     UGS        2    26475     -     8 vic0 
127/8              127.0.0.1          UGRS       0        0 33196     8 lo0  
127.0.0.1          127.0.0.1          UH         1        6 33196     4 lo0  
192.168.0/24       link#2             UC         1        0     -     4 vic1 
192.168.0.15       00:0c:29:d6:77:8b  UHLc       0     1573     -     4 vic1 
192.168.101/24     link#1             UC         2        0     -     4 vic0 
192.168.101.1      00:50:56:c0:00:06  UHLc       3      398     -     4 vic0 
192.168.101.69     00:0c:29:b8:28:f4  UHLc       1        0     -     4 vic0 
224/4              127.0.0.1          URS        0        0 33196     8 lo0  


@0 match in all scrub (no-df)
  [ Evaluations: 469989    Packets: 16762     Bytes: 1160928     States: 4     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@1 block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any
  [ Evaluations: 468570    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@2 block drop in log quick on ! vic0 inet from 192.168.101.0/24 to any
  [ Evaluations: 468570    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@3 block drop in log quick inet from 192.168.101.8 to any prio 0
  [ Evaluations: 468570    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@4 block drop in log quick on ! vic1 inet from 192.168.0.0/24 to any
  [ Evaluations: 468570    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@5 block drop in log quick inet from 192.168.0.8 to any prio 0
  [ Evaluations: 468570    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@6 anchor "ftp-proxy/*" all
  [ Evaluations: 469989    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@7 pass in quick inet proto tcp from any to any port = 21 flags S/SA divert-to 127.0.0.1 port 8021
  [ Evaluations: 469989    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@8 block drop in log all
  [ Evaluations: 468570    Packets: 468060    Bytes: 37277792    States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@9 block drop in log on ! lo0 proto tcp from any to any port 6000:6010
  [ Evaluations: 468570    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@10 block drop in log quick inet6 all
  [ Evaluations: 468570    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@11 block drop out log quick inet6 all
  [ Evaluations: 1419      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@12 pass out quick all flags S/SA
  [ Evaluations: 469989    Packets: 18797     Bytes: 1269590     States: 9     ]
  [ Inserted: uid 0 pid 25829 State Creations: 1419  ]
@13 pass log proto icmp all
  [ Evaluations: 468570    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@14 pass out on vic0 inet from 192.168.0.0/24 to any flags S/SA nat-to (vic0:1) round-robin
  [ Evaluations: 468570    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]
@15 pass in log on vic0 inet proto tcp from any to 192.168.101.8 port = 22 flags S/SA
  [ Evaluations: 468062    Packets: 286       Bytes: 34490       States: 1     ]
  [ Inserted: uid 0 pid 25829 State Creations: 2     ]
@16 pass in quick on vic1 inet from 192.168.0.0/24 to any flags S/SA
  [ Evaluations: 468570    Packets: 16476     Bytes: 1126438     States: 3     ]
  [ Inserted: uid 0 pid 25829 State Creations: 508   ]
@17 pass out on vic0 inet from 192.168.0.0/24 to any flags S/SA nat-to 192.168.101.8
  [ Evaluations: 468062    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25829 State Creations: 0     ]


Status: Enabled for 0 days 01:35:47              Debug: err

State Table                          Total             Rate
  current entries                       16               
  searches                          545159           94.9/s
  inserts                             2596            0.5/s
  removals                            2580            0.4/s
Counters
  match                             491411           85.5/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
Reply With Quote
  #7   (View Single Post)  
Old 29th September 2013
flit flit is offline
New User
 
Join Date: May 2013
Posts: 8
Thanked 0 Times in 0 Posts
Default

In order to harden my OpenBSD I disabled some services, do I need any
of the services I disabled for NAT to work?

sendmail_enable="NONE"
sendmail_flags=NO
spamlogd_flags=NO
inetd=NO
ypserv_flags=NO
nfsd_flags=NO
amd_master=NO
ipsec_rules=
bt_rules=
afsd_flags=NO
ntpd_flags="-s"
ftpproxy_flags=""
Reply With Quote
  #8   (View Single Post)  
Old 30th September 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

Code:
@12 pass out quick all flags S/SA
  [ Evaluations: 469989    Packets: 18797     Bytes: 1269590     States: 9     ]
  [ Inserted: uid 0 pid 25829 State Creations: 1419  ]

@14 pass out on vic0 inet from 192.168.0.0/24 to any flags S/SA nat-to (vic0:1) round-robin
  [ Evaluations: 468570    Packets: 0         Bytes: 0           States: 0     ]
Rule nr 12 uses quick so your NAT rule nr 14 is never used/applied to the outgoing packets. So please try the match rule that I suggested, as the first rule
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 30th September 2013
flit flit is offline
New User
 
Join Date: May 2013
Posts: 8
Thanked 0 Times in 0 Posts
Default

Thank you very very very much!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf rule set for web server on dedicated . barti FreeBSD Security 7 13th September 2012 07:01 PM
Help with my pf rule please whispersGhost OpenBSD Security 0 19th April 2012 07:54 AM
most paranoiac pf rule set for OpenBSD desktop daemonfowl OpenBSD Security 19 27th February 2012 08:33 PM
PF rule to disable icmp? cyanide_christ OpenBSD Security 6 15th October 2009 05:35 AM
pf: why is that rule not working? ivanatora FreeBSD General 14 11th December 2008 09:32 AM


All times are GMT. The time now is 04:03 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick