|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Giving Two Seperate Networks Internet With PF
Hello again.
I have two networks that I am trying to keep separate but allow internet access to each. Code:
EXT="pppoe0" INT1="re1" INT2="re2" INT_NET1= "{ 192.168.0.2, 192.168.0.3 }" INT_NET2= "{ 10.0.0.2, 10.0.0.3 }" block log all set block-policy drop match log on pppoe0 scrub (reassemble tcp max-mss 1440) nat on $EXT from $INT_NET1 -> ($EXT:0) nat on $EXT from $INT_NET2 -> ($EXT:0) pass out on $EXT inet from any to any pass in on $INT inet from $INT_NET1 to any pass in on $INT inet from $INT_NET2 to any Code:
inet 192.168.0.1 255.255.255.0 Code:
inet 10.0.0.1 255.0.0.0 Traffic coming from INT_NET1 can get to the internet but traffic on INT_NET2 cannot. This seems very simple and like it shoudl work, what am I doing wrong (and thanks in advance) |
|
|||
I don't use PPPoE but to do NAT I have this in my pf.conf
Code:
# ---- external/egress interface match out inet from ! egress to any nat-to (egress) # ifconfig -A and # netstat -rn -f inet
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I went ahead and upgraded to 5.2, then i added the egress nat line you suggested and it now works. Thanks!
One more question though, I want to keep INT1="re1" and INT2="re2" from any form of communication with each other. Do I need to add any blocks for that or is it good as is? |
|
|||
You have a default policy of block log all so as far as I can see you don't need any additional blocking rules.
You can verify this by running tcpdump on the pflog0 device and then for example do a ping from a a host on the INT1 net to one on the INT2 network.. The ping attempt should be blocked and show up in the tcpdump output.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Introduction to TCP/IP networks | jggimi | Guides | 18 | 7th September 2012 12:37 PM |
How secure are wireless home networks? | JMJ_coder | General software and network | 37 | 18th April 2011 04:04 PM |
The unknown /etc/networks file | J65nko | Guides | 5 | 22nd January 2010 03:38 AM |
CodeWeavers giving away all software Tuesday Oct 28th | fast_replies | Off-Topic | 9 | 30th October 2008 12:14 AM |
DMZ for two networks users... | maurobottone | OpenBSD Security | 6 | 2nd June 2008 02:57 PM |