Cascading pf firewalls with both nat and no nat
Hi list,
I have a working setup with 2 cascaded firewalls (OpenBSD 4.5 on my
external firewall, 4.6 on my internal firewall).
NAT is done on the external interface of the internal firewall (which
is connected to the external firewall).
Now I want to exclude one of the workstations behind the internal
firewall from NAT. This workstation should be allowed to connect to
one server only (which is connected to another interface of the
external firewall).
Intended setup is as follows:
[Indentation for better readability]
Workstation
10.1.2.2/24
gateway is 10.1.2.1
Internal firewall
10.1.2.1/24 xl0 (connected to workstation)
10.1.0.2/24 xl1 (connected to external firewall)
gateway is 10.1.0.1
External firewall
10.1.0.1/16 re0 (connected to internal firewall)
10.0.2.1/24 re1 (connected to server)
Server
10.0.2.2/24
gateway is 10.0.2.1
NAT rules on internal firewall
no nat on xl1 from 10.1.2.2 to any
nat on xl1 from any to any -> 10.1.0.2
Filtering rules on internal firewall
# general rules
block all
antispoof quick for { lo xl0 xl1 }
# xl0 rules
# no quick rules before the following rule
pass in on xl0 from 10.1.2.2 to 10.0.2.1
# no block rules after the previous rule
# snip - other interfaces
# xl1 rules
# no quick rules before the following rule
pass out on xl1 from 10.1.2.2 to 10.0.2.1
# no block rules after the previous rule
Filtering rules on external firewall
# general rules
block all
antispoof quick for { lo re0 re1 }
# re0 rules
# no quick rules before the following rule
pass in on re0 from 10.1.2.2 to 10.0.2.1
# no block rules after the previous rule
# snip - other interfaces
# re1 rules
# no quick rules before the following rule
pass out on re1 from 10.1.2.2 to 10.0.2.1
# no block rules after the previous rule
This does not seem to work, however, as the workstation
cannot connect to the server (it was able to connect
with NAT).
What am I doing wrong? Any hints would be appreciated.
Thank you very much in advance.
--
GRATIS f|r alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
ftp-proxy and pf on OpenBSD 4.5
Hi list,
I was trying to set up ftp-proxy for use with a client
(OpenBSD 4.6 workstation, passive ftp only) behind a
firewall (4.5).
I have set up pf.conf on the firewall according to pf
user's guide.
All ftp-proxy anchors have been put first (nat/rdr before
any nat/rdr rules, filtering before any filtering rules)
so other rules should not affect them (filtering rules
inserted by ftp-proxy are "quick" according to man, and
first nat/rdr rule wins anyway).
I use:
set skip on lo
(as I usually do)
and:
ftp-proxy -d -D 7
(for debugging).
>From my understanding the line
rdr on $client_if proto tcp from $client to any port ftp -> \
127.0.0.1 port 8021
should cause the incoming connection to be
1. redirected,
2. not filtered (skip on lo),
3. reach ftp-proxy and therefore
4. enable ftp-proxy to populate the anchors.
However, this seems not to happen (no connection,
no output from ftp-proxy).
When I add something like:
pass in on $client_if from $client to any
ftp-proxy lets me connect to the external ftp server
(debug output of ftp-proxy is as one would expect it).
But even something like:
pass in on $client_if proto { tcp udp } from $client \
to any port ftp
does not work (and as explained above I would
think that this is not necessary at all).
Any ideas?
--
Sicherer, schneller und einfacher. Die aktuellen Internet-Browser -
jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/atbrowser
Update: ftp-proxy and pf on OpenBSD 4.5
Apologies first.
My first thought after waking up today was "I mixed IPs and IFs".
Sorry for posting that...
Remaining question second.
The filtering does not seem to get "populated" by
ftp-proxy.
A rule like:
pass in on $client_if proto { tcp udp } from $client \
to 127.0.0.1 port ftp
does not do the trick, I still have to use something like:
pass in on $client_if proto { tcp udp } from $client \
to 127.0.0.1
(opening everything up for the ftp data connection myself)
kern.securelevel is 1, so I just do not understand why
ftp-proxy won't add the rules.
Any clue sticks, so I get at least a direction for my
search?
Original-Nachricht
> Hi list,
>
> I was trying to set up ftp-proxy for use with a client
> (OpenBSD 4.6 workstation, passive ftp only) behind a
> firewall (4.5).
>
> I have set up pf.conf on the firewall according to pf
> user's guide.
>
> All ftp-proxy anchors have been put first (nat/rdr before
> any nat/rdr rules, filtering before any filtering rules)
> so other rules should not affect them (filtering rules
> inserted by ftp-proxy are "quick" according to man, and
> first nat/rdr rule wins anyway).
>
> I use:
> set skip on lo
> (as I usually do)7
>
> and:
> ftp-proxy -d -D 7
> (for debugging).
>
> >From my understanding the line
> rdr on $client_if proto tcp from $client to any port ftp -> \
>127.0.0.1 port 8021
>
> should cause the incoming connection to be
> 1. redirected,
> 2. not filtered (skip on lo),
> 3. reach ftp-proxy and therefore
> 4. enable ftp-proxy to populate the anchors.
>
> However, this seems not to happen (no connection,
> no output from ftp-proxy).
>
> When I add something like:
> pass in on $client_if from $client to any
>
> ftp-proxy lets me connect to the external ftp server
> (debug output of ftp-proxy is as one would expect it).
>
> But even something like:
> pass in on $client_if proto { tcp udp } from $client \
> to any port ftp
>
> does not work (and as explained above I would
> think that this is not necessary at all).
>
> Any ideas?
>
>
>
> --
> Sicherer, schneller und einfacher. Die aktuellen Internet-Browser -
> jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/atbrowser
--
GMX DSL: Internet, Telefon und Entertainment f|r nur 19,99 EUR/mtl.!
http://portal.gmx.net/de/go/dsl02
