Hi All,
I have done some testing using PF Open BSD 4.9.
There are 2 testing:
1. without nat (successfull)
2.With source NAT(not successfull)
The diagram is
notebook----------em0[OpenBSD 4.9 PF]em1---------webserver(TCP/443)
em0 is 192.168.1.216/24
notebook is 192.168.1.21/24
em1 is 192.168.2.216/24
webserver is 192.168.2.80/24
IP alias for NAT on em1 is 192.168.2.232/32
ip forwarding on sysctl =1
Notebook's gateway is firewall internal IP: 192.168.1.216
Firewall's gateway is webserver :192.168.2.80
Webserver's gateway is firewall external IP: 192.168.2.216
I have tried to do source NAT testing to allow traffic from notebook to
webserver so that the webserver knows that the incoming traffic is coming from
192.168.2.232(NAT IP) instead of 192.168.1.21.
192.168.1.21-->192.168.2.232-->192.168.2.80
Unfortunately it hasn't worked at all. I have tried to monitor the traffic
using
tcpdump on em1(external int) but there are no packets pass through em1 at all.
Below is the rule of the scenario above using NAT:
# Tables: (1)
table <tbl.r0.d> { 192.168.1.216 , 192.168.2.216 , 192.168.2.232 ,
192.168.3.216
}
# Rule 0 (NAT) (192.168.2.232 is NAT IP for notebook/192.168.1.21)
match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to
192.168.2.232
# Rule backup ssh access rule
pass in quick inet proto tcp from 192.168.1.21 to <tbl.r0.d> port 22
#
# Rule 0 (em0) notebook access webserver
pass out log quick on em0 inet proto tcp from 192.168.1.21 to 192.168.2.80
port 443 keep state ( max 10000, max-src-conn 10 )
#
# Rule 1
block log quick inet from any to any no state
# block all
block quick inet from any to any no state
What else is missing or isn't configured correctly? There was no error while I
reload the rule using pfctl -f /etc/pf.conf
Thanks
Regards,
Stefan
