[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

perPLEXed, NAT issues



Ok so i wanted to sole this myself, anf after about 40 hours of reaserch and trouble shooting im am still not further than when i  started.  In fact i may have taken a step backwards. But more to the point i am having trouble with NAT; and perhaps with my filter rules? Although i did copy pf.conf verbatum from benzebrine i will include the files in the message.  btw using OpenBSD3.1 so i can reach the outside world from the bsd box but not from with in the lan.  dhcp is configured properly with name servers from attbi.  i dont know what im missing, pf is enabled, as is fowarding in sysctl.conf.  Any thought?
 
first  here is the output of 
$ pfctl -s all
@0 scrub out all
@1 scrub in all
@2 block out log all
@3 block in log all
@4 block return-rst out log inet proto tcp all
@5 block return-rst in log inet proto tcp all
@6 block return-icmp out log inet proto udp all
@7 block return-icmp in log inet proto udp all
@8 pass out quick on ep0 all
@9 pass out quick on enc0 all
@10 pass out quick on lo0 all
@11 pass in quick on ep0 all
@12 pass in quick on enc0 all
@13 pass in quick on lo0 all
@14 block return-rst in quick proto tcp from any to any port = 6667
@15 block return-rst in quick proto tcp from any to any port = 6000
@16 block return-rst in quick proto tcp from any to any port = sunrpc
@17 block return-icmp in quick proto udp from any to any port = netbios-ns
@18 block out quick proto tcp all flags /S
@19 block in quick proto tcp all flags /S
@20 block out log quick on tl0 inet from ! 12.253.82.148/32 to any
@21 block in quick on tl0 inet from any to 62.65.145.31/32
@22 block in quick on tl0 inet from any to 255.255.255.255/32
@23 block in log quick on tl0 inet from 255.255.255.255/32 to any
@24 block in log quick on tl0 inet from 192.168.0.0/16 to any
@25 block in log quick on tl0 inet from 172.16.0.0/12 to any
@26 block in log quick on tl0 inet from 10.0.0.0/8 to any
@27 block in log quick on tl0 inet from 127.0.0.0/8 to any
@28 pass out on tl0 inet proto icmp from 12.253.82.148/32 to any icmp-type echoreq code 0 keep state
@29 pass in on tl0 inet proto icmp from any to 12.253.82.148/32 icmp-type echoreq code 0 keep state
@30 pass out on tl0 inet proto udp from 12.253.82.148/32 to any keep state
@31 pass out on tl0 inet proto tcp from 12.253.82.148/32 to any flags S/SA keep state
nat on tl0 from 192.168.0.0/24 to any -> 12.253.82.148
Status: Enabled Time: 1036493794 Since: 1036420451 Debug: None
Bytes In IPv4: 0 Bytes Out: 0
IPv6: 0 Bytes Out: 0
Inbound Packets IPv4: Passed: 0 Dropped: 0
IPv6: Passed: 0 Dropped: 0
Outbound Packets IPv4: Passed: 0 Dropped: 0
IPv6: Passed: 0 Dropped: 0
States: 0
pf Counters
state searches 56749
state inserts 558
state removals 558
Counters
match 37958
bad-offset 0
fragment 0
short 1
normalize 0
memory 0
 
#pf.conf
ext_if="tl0"
int_if="ep0"
unroutable="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, \
192.168.0.0/16, 255.255.255.255/32 }"
services_tcp="{ ssh, smtp, submission, domain, auth, www, pop3, > 1024 }"
services_udp="{ domain }"
ipv6_net="{ 2001:470:1f00:ffff::245, 2001:470:1f00:390:0:0:0:0/64 }"
# normalize all packets
#
scrub out all
scrub in all
# block and log everything by default
#
block out log all
block in log all
block return-rst out log inet proto tcp all
block return-rst in log inet proto tcp all
block return-icmp out log inet proto udp all
block return-icmp in log inet proto udp all
# unfiltered interfaces
#
pass out quick on { lo0, enc0, $int_if } all
pass in quick on { lo0, enc0, $int_if } all
# =============================================================================
# common rules for all filtered interfaces
# =============================================================================
# silently drop noise
#
block return-rst in quick proto tcp from any to any \
port { 111, 6000, 6667 }
block return-icmp in quick proto udp from any to any \
port { 137 }
# silently drop TCP non-SYN packets (only SYNs create state)
#
block out quick proto tcp all flags /S
block in quick proto tcp all flags /S
# =============================================================================
# external interface (all external IPv4 traffic)
# =============================================================================
# block and log outgoing packets that don't have my address as source, they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and don't send out garbage.
#
block out log quick on $ext_if inet from !$ext_if to any
# silently drop broadcasts (ADSL noise)
#
block in quick on $ext_if inet from any to { 255.255.255.255, 62.65.145.31 }
# block and log incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
#
block in log quick on $ext_if inet from $unroutable to any
# ICMP
#
pass out on $ext_if inet proto icmp from $ext_if to any \
icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp from any to $ext_if \
icmp-type 8 code 0 keep state
# UDP
#
pass out on $ext_if inet proto udp from $ext_if to any \
keep state
#pass in on $ext_if inet proto udp from any to $ext_if \
port $services_udp keep state
# TCP
#
pass out on $ext_if inet proto tcp from $ext_if to any \
flags S/SA keep state
#pass in on $ext_if inet proto tcp from any to $ext_if \
port $services_tcp flags S/SA keep state
 
look familiar?
 
next nat.conf
 
# $OpenBSD: nat.conf,v 1.4 2001/07/09 23:20:46 millert Exp $
#
# See nat.conf(5) for syntax and examples
#
# replace ext0 with external interface name, 10.0.0.0/8 with internal network
# and 192.168.1.1 with external address
#
# nat: packets going out through ext0 with source address 10.0.0.0/8 will get
# translated as coming from 192.168.1.1. a state is created for such packets,
# and incoming packets will be redirected to the internal address.
nat on tl0 from 192.168.0.0/24 to any -> tl0
# rdr: packets coming in through ext0 with destination 192.168.1.1:1234 will
# be redirected to 10.1.1.1:5678. a state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
# rdr on ext0 proto tcp from any to 192.168.1.1/32 port 1234 -> 10.1.1.1 port 5678