|
|||
pf NAT rule isn't working
Hi all,
I am running OpenBSD 5.1 in VMWare, I am using it as a firewall with 2 interfaces, and I am using the rule: pass out on vic0 from 192.168.0.0/24 to any nat-to 192.168.101.8 to allow NAT but it is not working, because when I ping host A from host B which is behind the firewall I can still see the real IP address of host B in host A, it is not being translated to 192.168.101.8. vic0 = 192.168.101.8 vic1 = 192.168.0.8 host A --> vic0 [OpenBSD] vic1 --> host B Can anybody help me fix this issue? Thanks in advance. |
|
|||
I tried that and that doesn't work either
|
|
|||
Does anybody know if I had to configure OpenBSD in some way to allow NAT to
work or is that the only rule I had to use? Is there a place in my pf.conf that this rule should be or could it by anywhere? |
|
|||
I use this on my OpenBSD firewall:
Code:
# ---- external/egress interface match out inet from ! egress to any nat-to (egress)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Code:
vic0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500 lladdr 00:0c:29:f1:fe:13 priority: 0 groups: egress media: Ethernet autoselect status: active inet 192.168.101.8 netmask 0xffffff00 broadcast 192.168.101.255 vic1: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500 lladdr 00:0c:29:f1:fe:1d priority: 0 media: Ethernet autoselect status: active inet 192.168.0.8 netmask 0xffffff00 broadcast 192.168.0.255 net.inet.ip.forwarding=1 Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.101.69 UGS 2 26475 - 8 vic0 127/8 127.0.0.1 UGRS 0 0 33196 8 lo0 127.0.0.1 127.0.0.1 UH 1 6 33196 4 lo0 192.168.0/24 link#2 UC 1 0 - 4 vic1 192.168.0.15 00:0c:29:d6:77:8b UHLc 0 1573 - 4 vic1 192.168.101/24 link#1 UC 2 0 - 4 vic0 192.168.101.1 00:50:56:c0:00:06 UHLc 3 398 - 4 vic0 192.168.101.69 00:0c:29:b8:28:f4 UHLc 1 0 - 4 vic0 224/4 127.0.0.1 URS 0 0 33196 8 lo0 @0 match in all scrub (no-df) [ Evaluations: 469989 Packets: 16762 Bytes: 1160928 States: 4 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @1 block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any [ Evaluations: 468570 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @2 block drop in log quick on ! vic0 inet from 192.168.101.0/24 to any [ Evaluations: 468570 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @3 block drop in log quick inet from 192.168.101.8 to any prio 0 [ Evaluations: 468570 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @4 block drop in log quick on ! vic1 inet from 192.168.0.0/24 to any [ Evaluations: 468570 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @5 block drop in log quick inet from 192.168.0.8 to any prio 0 [ Evaluations: 468570 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @6 anchor "ftp-proxy/*" all [ Evaluations: 469989 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @7 pass in quick inet proto tcp from any to any port = 21 flags S/SA divert-to 127.0.0.1 port 8021 [ Evaluations: 469989 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @8 block drop in log all [ Evaluations: 468570 Packets: 468060 Bytes: 37277792 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @9 block drop in log on ! lo0 proto tcp from any to any port 6000:6010 [ Evaluations: 468570 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @10 block drop in log quick inet6 all [ Evaluations: 468570 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @11 block drop out log quick inet6 all [ Evaluations: 1419 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @12 pass out quick all flags S/SA [ Evaluations: 469989 Packets: 18797 Bytes: 1269590 States: 9 ] [ Inserted: uid 0 pid 25829 State Creations: 1419 ] @13 pass log proto icmp all [ Evaluations: 468570 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @14 pass out on vic0 inet from 192.168.0.0/24 to any flags S/SA nat-to (vic0:1) round-robin [ Evaluations: 468570 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] @15 pass in log on vic0 inet proto tcp from any to 192.168.101.8 port = 22 flags S/SA [ Evaluations: 468062 Packets: 286 Bytes: 34490 States: 1 ] [ Inserted: uid 0 pid 25829 State Creations: 2 ] @16 pass in quick on vic1 inet from 192.168.0.0/24 to any flags S/SA [ Evaluations: 468570 Packets: 16476 Bytes: 1126438 States: 3 ] [ Inserted: uid 0 pid 25829 State Creations: 508 ] @17 pass out on vic0 inet from 192.168.0.0/24 to any flags S/SA nat-to 192.168.101.8 [ Evaluations: 468062 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25829 State Creations: 0 ] Status: Enabled for 0 days 01:35:47 Debug: err State Table Total Rate current entries 16 searches 545159 94.9/s inserts 2596 0.5/s removals 2580 0.4/s Counters match 491411 85.5/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s |
|
|||
In order to harden my OpenBSD I disabled some services, do I need any
of the services I disabled for NAT to work? sendmail_enable="NONE" sendmail_flags=NO spamlogd_flags=NO inetd=NO ypserv_flags=NO nfsd_flags=NO amd_master=NO ipsec_rules= bt_rules= afsd_flags=NO ntpd_flags="-s" ftpproxy_flags="" |
|
|||
Code:
@12 pass out quick all flags S/SA [ Evaluations: 469989 Packets: 18797 Bytes: 1269590 States: 9 ] [ Inserted: uid 0 pid 25829 State Creations: 1419 ] @14 pass out on vic0 inet from 192.168.0.0/24 to any flags S/SA nat-to (vic0:1) round-robin [ Evaluations: 468570 Packets: 0 Bytes: 0 States: 0 ]
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thank you very very very much!
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf rule set for web server on dedicated . | barti | FreeBSD Security | 7 | 13th September 2012 07:01 PM |
Help with my pf rule please | whispersGhost | OpenBSD Security | 0 | 19th April 2012 07:54 AM |
most paranoiac pf rule set for OpenBSD desktop | daemonfowl | OpenBSD Security | 19 | 27th February 2012 08:33 PM |
PF rule to disable icmp? | cyanide_christ | OpenBSD Security | 6 | 15th October 2009 05:35 AM |
pf: why is that rule not working? | ivanatora | FreeBSD General | 14 | 11th December 2008 09:32 AM |