On Sun, Dec 03, 2006 at 12:25:36PM +0100, Niklas Saers wrote: > > I've been reading a bit and using examples I've found good, and so far > my pf.conf looks like this. Nat seems to work fine for the internal > network, not for the business network. Incoming traffic to 10.0.3.2 > does not work, neither does incoming to 10.0.2.2, and setting up an > ssh connection between 10.0.2.2 and 10.0.3.2 takes about 26 seconds. > Do you have any suggestions on how I can solve these problems? Are > there any problems with this setup that I have not discovered yet? > > # macros > ext_if = "sis0" > int_if = "sis1" > bus_if = "sis2" > internal_net = "10.0.2.0/24" > business_net = "10.0.3.0/24" > soekris = "{ 10.0.0.4, 10.0.2.1, 10.0.3.1 }" > > # tables > table <firewall> const { self } > > # options > set block-policy drop > set state-policy if-bound > > # scrub incoming packets > scrub all reassemble tcp fragment reassemble > > # nat > nat on $ext_if from $internal_net to any -> ($ext_if) > no nat on $ext_if from $internal_net to $business_net > no nat on $ext_if from $internal_net to $soekris > > # redirection > rdr on $ext_if proto tcp from any to $ext_if port { 22, 443, 3306 } -> > 10.0.3.2 > rdr on $ext_if proto tcp from any to $ext_if -> 10.0.2.2 > > # setup a default deny policy > block drop log all > > # pass traffic on the loopback interface in either direction > pass quick on lo0 all > pass quick on $int_if all > pass quick on $bus_if all > > # outgoing dns, ntp > pass out quick on $ext_if inet proto udp from ($ext_if) to any port { > 53, 123 } keep state > > # outgoing from firewall > pass out log quick on $ext_if inet proto tcp from ($ext_if) to any > flags S/SA keep state > pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if) > to any keep state > > # incoming active ftp-data (this is required for active ftp to work) > pass in log quick on $ext_if inet proto tcp from any port 20 to > ($ext_if) port >= 1024 flags S/SA keep state > > # incoming tcp and udp from the internal network to the internet > pass in log quick on $int_if inet proto tcp from $internal_net to > !<firewall> flags S/SA modulate state > pass in log quick on $int_if inet proto udp from $internal_net to > !<firewall> keep state
<disclaimer>I'm also a pf n00b, so please don't regard this as expert opinion!</disclaimer> From reading the excellent documentation at the OpenBSD site, I think you are missing a `pass' rule for your redirected traffic. You can either add a `pass' keyword to the rdr rules (which will mean they don't get filtered /at all/), or you can write dedicated `pass' rules for the redirected traffic. Remember that the filtering engine will see the redirected packets /after/ translation occurs, so take that into account if you write dedicated rules. As for your ssh problem - this may be related to a DNS timeout. Try disabling DNS in ssh (by default, it will try to look up the name of a remote host from its IP and check that it resolves back to the same address). Alternatively, you can edit your /etc/hosts, or start running a local name server. Anyway, like I said - IANAE! Dan -- Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A
pgpyQYBG2Sgcb.pgp
Description: PGP signature