Re: pf/NAT/DNS Problems in OpenBSD-3.7 Current

Wed, 22 Jun 2005 06:48:40 -0700 

--On 22 June 2005 09:03 -0400, Vivek Ayer wrote:


Once I enable pf with the given ruleset, I can't all of a sudden ping
to domains.


PF is doing exactly what you told it ...


priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8 }"
  [...]
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets



If your ISP is using addresses within 192.168/16 for their 
infrastructure, you can't block access to those addresses.




So, now the question is, can I do NAT from one interface to two
internal interfaces? Or, would I have to modify it and in doing ext_if
--> NAT --> int_if --> NAT --> wir_if (wireless interface)?

 [...]

nat on $ext_if from !($ext_if) -> ($ext_if:0)

what does this exactly do? Looking at it, I don't see int_if and
wir_if to which it does nat to.


($ext_if) means "the IP address of $ext_if", in your case dc1.

!($ext_if) means the opposite of the above: any IP address *other than* 
the address of dc1.



So, this NATs traffic from any addresses not assigned to your external 
interface. Alternatively you could use something like,


nat on $ext_if from $int_if:network -> ($ext_if:0)
nat on $ext_if from $wir_if:network -> ($ext_if:0)



Also, in dhcpd.conf, do I need to have the statement:

option domain-name-servers 192.168.1.1

to tell the dhcp clients of the internal interfaces that the
nameserver they will be using is the ISP's?



Yes (unless you run a forwarder yourself, or configure the clients DNS 
resolver addresses manually).




Sorry to bother you guys like this. I'm a newbie in OpenBSD as well as
pf. Thanks a lot, though.



With <http://www.openbsd.org/faq/pf/> and pf.conf(5) by your side, 
start minimal (maybe just a nat rule, "pass on {$int_if, $wir_if}" 
"block in on $ext_if", "pass out on $ext_if keep state") and then 
gradually refine. Make one change at a time, test it and understand 
what it does before moving on to the next.



Using 'log' in your rules (both "pass" and "block" rules at first) and 
monitoring with tcpdump (as described in pflogd(8)) will show you the 
effects of any new rules which you try. You'll also find "pfctl -sr -v 
-v" useful in debugging firewall rules, and "pfctl -sn -v -v" useful in 
debugging nat/rdr.
























					Reply via email to