[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Binat and DMZ



I've figured out my problem... I needed a ip alias.
Jason
Hi,
I'm trying to setup a dmz using OpenBSD 3.2 with a 3 legged machine. I'm
having difficulties getting an external address to map to an internal
address in the dmz. I have used the following nat rules.
nat on $ExtIF from 172.16.128.0/24 to any -> $ExtIP
binat on $ExtIF from $DMZWebServerIP to any -> $ExtWebServerIP
It seems that the machine doesn't know that it should be responding to
requests on the $ExtWebServerIP ip address. The way things are currently
configured (test environment) I can ping the $DMZWebServerIP address from a
machine that is connected to what will be the internet side. Yet if I try to
ping $ExtWebServerIP it doesn't respond.
Yes... I am new to pf. I've configured other firewalls but just can't seem
to get this to work.
/etc/pf.conf
###########################
# Variables
###########################
IntIF="fxp0"
ExtIF="fxp1"
DMZIF="xl0"
IntNet="172.16.128.0/24"
ExtIP="x.y.z.47"
DMZWebServerIP="172.16.130.2"
ExtWebServerIP="x.y.z.47"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
###########################
# Normalize
###########################
# Normalize: reassemble fragments and resolve or reduce traffic ambiguities
scrub in all fragment reassemble
scrub out all
###########################
# NAT
###########################
# nat: packets going out through $ExtIF with source address 172.16.128.0/24
# will get translated as coming from x.y.z..47 a state is created for such #
packets, and incoming packets will be redirected to the internal address.
nat on $ExtIF from 172.16.128.0/24 to any -> $ExtIP
# Static NAT for Web Server in DMZ
binat on $ExtIF from $DMZWebServerIP to any -> $ExtWebServerIP
###########################
# Redirector
###########################
# rdr: packets coming in through ext0 with destination 192.168.1.1:1234 will
# be redirected to 10.1.1.1:5678. a state is created for such packets, and #
outgoing packets will be translated as coming from the external address.
# Redirect FTP requests to the ftp proxy on port 8081
rdr on $IntIF proto tcp from any to any port 21 -> 127.0.0.1 port 8081
###########################
# filter rules
###########################
# Don't allow anyone to spoof non-routeable addresses
block in log quick on $ExtIF from $NoRouteIPs to any
block out log quick on $ExtIF from any to $NoRouteIPs
###########################
# Internal Interface Rules
###########################
# Allow internal network to connect to firewall no matter what pass in quick
on $IntIF all
###########################
# External Interface Rules
###########################
# Block all incoming packets
block in on $ExtIF all
# Block all outgoing packets
block out on $ExtIF all
# Allow response to icmp
pass in on $ExtIF inet proto icmp all keep state
# Allow active FTP back in via FTP Proxy
pass in log quick on $ExtIF proto tcp from any to $ExtIF user proxy keep
state
# Let out-going traffic out and maintain state on established connections
pass out log on $ExtIF inet proto tcp all flags S/SA keep state
pass out log on $ExtIF inet proto udp all keep state
pass out on $ExtIF inet proto icmp all keep state
###########################
# DMZ Interface Rules
###########################
block in on $DMZIF all
block out on $DMZIF all
# Allow web traffic into web server in dmz
#pass in on $ExtIF proto tcp from any to 172.16.130.2 port www keep state
pass in on $ExtIF proto tcp from any to 172.16.130.2 keep state
# Allow outgoing traffic out and maintain state on established connections
pass out on $DMZIF proto {tcp,udp,icmp} all flags S/SA keep state
Thanks for any ideas...
Jason