On Thu, Aug 05, 2010 at 02:17:35AM +0200, Robert wrote:
> > What would be the most barebones pf.conf for a OpenBSD 4.7 nat firewall
> > with 2 nics, that passes everything.
> ext_if="em0"
> table int_net const persist {10.10.1.0/24}
> match out on $ext_if from <int_net> to any nat-to ($ext_if)
> pass all
If I'm not mistaken, you could drop the b�ext_if="em0"b� and just use
interface group b�egressb� (which would be your only interface with a
default route in this case) in the match rule.
Similarly, assuming your local interface is in the same network as your
NATted clients, you could use b�($int_if:network)b� instead of the address
table. This would require declaring an $int_if variable.
Maybe a nicer way to do this would be to put your local interface in a
specific group using hostname.$int_if, then only use that group's name
in your pf.conf. This has the additional advantage that you can add
other local interfaces later on, and have the NAT set up directly for
them without modifying your pf.conf, but only their hostname.if.
Thus,
=== pf.conf ===
match out on egress from (ingress:network) to any nat-to (egress)
pass all
======
=== hostname.$int_if ===
...
group ingress
======
PS: I'm just saying that from the top of my head, and haven't tried
this. Particularly, I'm not sure whether the b�nat-to (egress)b� works. It
may need a b�nat-to (egress:0)b� instead, which may net even work either.
I tend to always try out interface group-based solutions first as I find
them more elegant. Anyway, if you're keen, please test and tell us (:
--
Olivier Mehani <sht...@ssji.net>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655
[demime 1.01d removed an attachment of type application/pgp-signature]
