[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf rule confusion
On Wed, Dec 18, 2002 at 09:26:47AM -0800, Bryan Irvine wrote:
> I have an openbsd (3.1) natted firewall, with 3 nic's
> rl0 = 22.214.171.124
> sis = 192.168.0.1
> ep1 = 126.96.36.199 (it's being used as an internal address don't ask,
> long irritating story)
> i'm trying to set it up to
> A> act as a gateway for both the 192.233.103.* and 192.168.0.* networks,
> while allowing me to forward any requests for 192.233.100.* to a
> different router.
That should be covered with something like
nat on rl0 from 192.168.0.0/24 to any -> 188.8.131.52
nat on rl0 from 184.108.40.206/24 to any -> 220.127.116.11
> B> Allow me to port forward vnc ports to allow remote external
> connections via vnc in. I have it partially setup now. I have it so
> that it will act as a gateway for the 192.168.0.* network and will allow
> vnc traffic to that network, but, it will not let me forward to the
> 192.233.103 network. I assume it's because it's not actually natting
> this interface.
That's done with
rdr on rl0 from any to 18.104.22.168 port 5900 \
-> 22.214.171.124 port 5900
There's several reasons why the redirection might not work.
a) Verify that you can ping 126.96.36.199 from the firewall.
b) Verify that you can ping the external host from the firewall.
c) Verify that you can ping the external host from 188.8.131.52.
If that works, it's probably not a routing problem.
d) Make sure you allow incoming connections to 184.108.40.206 port 5900
on rl0. Yes, since translation happens before filtering, the packets
will have destination address 220.127.116.11 (not 18.104.22.168) when
If it still doesn't work, you'll have to explain more specifically how
'it does't work'. tcpdump on rl0 and ep1, do you see the initial TCP SYN
packet arrive on rl0, and does it go out through ep1 with the translated
destination address? Does it arrive at the vnc server? Does the server
send a SYN ACK back? Does the reply reach ep1 on the firewall? Does it
get sent out through rl0 with the source address properly translated
back to the external address?