Re: pf examples needed

Tue, 16 Jan 2007 11:36:35 -0800 

Hi Charles,
If you try to access X.X.X.25 from within 192.168.100.x it will not work. Because of the NAT. 
The same apply for 192.168.200.x.
It will be much easy to have two separate firewalls, one for browsing and one for servers. 

Rosen

Charles Farinella wrote:

Thanks to all for the help.

Martin Toft wrote:

On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote:

I have an OpenBSD 3.9 machine with a public IP providing NAT and
firewalling for our internal network.  It has 3 interfaces:

dc0: public ip from internet X.X.X.25
dc1: 192.168.100.x to internal network.  This works well.
dc2: 192.168.200.x --> to Windows server.

I need to allow public access to the Windows server connected to dc2
(one port only).  Currently I have a private network address assigned
to dc2 and a public one (X.X.X.26) assigned to the machine connected
to it.


You should put a private 192.168.200.x IP address on the Windows box,
not a global X.X.X.26 address. Afterwards, do a simple port forwarding
(redirection in pf language) at the OpenBSD box, e.g.


I currently have it set up like this:

dc0 = X.X.X.25
dc2 = 192.168.200.254
test_box = 192.168.25.123
services = "{ ssh, smtp, http, https }"

I have the following in my pf.conf:

rdr pass on dc0 proto tcp from any to X.X.X.25 port 80 -> 
192.168.25.122 port 80



If I ssh into the X.X.X.25 box I can access the test_box on port 80.  
I cannot access X.X.X.25 port 80 however.



I've been using pfctl -f /etc/pf.conf to reload my rules.  I see no 
reference in my pflog to any attempts to access port 80 on X.X.X.25.




Remember to set up a default route on the Windows box (it should of
course use the OpenBSD box as its default route).


Routing tables

Internet:

Destination        Gateway            Flags    Refs      Use    Mtu 
Interface

default            192.168.25.254     UGS         0        7      -   ne3
loopback           localhost.localnet UGRS        0        0  33224   lo0
localhost.localnet localhost.localnet UH          0        9  33224   lo0
192.168.25/24      link#1             UC          0        0      -   ne3
192.168.25.254     00:18:f8:08:b4:27  UHLc        0      592      -   ne3
BASE-ADDRESS.MCAST localhost.localnet URS         0        0  33224   lo0

Is this correct?

Thanks again.

--charlie
























					Reply via email to