[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf rule confusion



On Wed, Dec 18, 2002 at 09:26:47AM -0800, Bryan Irvine wrote:
> I have an openbsd (3.1) natted firewall, with 3 nic's
> 
> rl0 = 64.1.201.130
> 
> sis = 192.168.0.1
> 
> ep1 = 192.233.103.186 (it's being used as an internal address don't ask,
> long irritating story)
> 
> i'm trying to set it up to 
> 
> A> act as a gateway for both the 192.233.103.* and 192.168.0.* networks,
> while allowing me to forward any requests for 192.233.100.* to a
> different router.
That should be covered with something like
  nat on rl0 from 192.168.0.0/24 to any -> 64.1.201.130
  nat on rl0 from 192.233.100.0/24 to any -> 64.1.201.130
> B> Allow me to port forward vnc ports to allow remote external
> connections via vnc in.  I have it partially setup now.  I have it so
> that it will act as a gateway for the 192.168.0.* network and will allow
> vnc traffic to that network, but, it will not let me forward to the
> 192.233.103 network.  I assume it's because it's not actually natting
> this interface.
That's done with
  rdr on rl0 from any to 64.1.201.130 port 5900 \
     -> 192.233.103.123 port 5900
There's several reasons why the redirection might not work.
a) Verify that you can ping 192.233.103.123 from the firewall.
b) Verify that you can ping the external host from the firewall.
c) Verify that you can ping the external host from 192.233.103.123.
If that works, it's probably not a routing problem.
d) Make sure you allow incoming connections to 192.233.103.123 port 5900
   on rl0. Yes, since translation happens before filtering, the packets
   will have destination address 192.233.103.123 (not 64.1.201.130) when
   they're filtered.
If it still doesn't work, you'll have to explain more specifically how
'it does't work'. tcpdump on rl0 and ep1, do you see the initial TCP SYN
packet arrive on rl0, and does it go out through ep1 with the translated
destination address? Does it arrive at the vnc server? Does the server
send a SYN ACK back? Does the reply reach ep1 on the firewall? Does it
get sent out through rl0 with the source address properly translated
back to the external address?
Daniel