[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

double nat



Hello! My case is the following:
I have one CISCO PIX 501 (that has only two interfaces, and cannot have
more), connected to the ADSL modem, so the world.
I have one OpenBSD box behind it, running pf, with three interfaces. One is for the local lan, one for DMZ, one goes out (in my case it goes to CISCO).
I will do nat/filtering on my OpenBSD box. Following some guides, I've
written a set of rules (attached below) that should allow my clients to
surf, use dns cache from DMZ, use mail server from DMZ, access WWW in
DMZ, access FTP in DMZ. These rules will also allow access to these
services from outside.
My concern is the following: once my packets reach the outside interface of the OpenBSD box, they will enter the internal interface of CISCO. There, they will have to be translated to the external interface of CISCO (public IP). Will such a setup be possible, or do packets get lost on the way. Is there a special concern about particular (routed) protocols, i.e. ftp? If it is possible, my DMZ servers should be visible from the world without particular problems. However, I am in doubt as to whether I will have to write a special sort of rules for my lan to access DMZ.
Thanks for you help,
Pedja
The pf.conf file follows:
--------------------------
#######################
# OpenBSD 3.4
# pf rules for icnm
#
# Predrag Micakovic
# [email protected]
#######################
######################
# The network has 2 nats
# and one DMZ
#####################
# Interface Marcos !!!!! correct after the installation
WAN_IF = "xl0"
DMZ_IF = "xl3"
LOOPBACK = "lo0"
LAN1_IF = "xl1"
# My networks
LAN1 = "192.168.10.0/24"
DMZ = "192.168.9.0/24"
# Special Networks/Hosts
RESERVED = "{ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32 }"
# Servers
NS1_SRV = "192.168.9.2"
NS2_SRV = "192.168.9.3"
MAIL_SRV = "192.168.9.4"
FTP_SRV = "192.168.9.5"
WEB_SRV = "192.168.9.20/32"
# Optimization
set timeout tcp.established 3600
set timeout {tcp.opening 30, tcp.closing 120 }
set limit { states 20000 frags 50000 }
set optimisation aggressive
# Packet Cleanup
scrub in on $WAN_IF all
scrub out on $WAN_IF all
# NAT
nat on $WAN_IF inet from { $LAN1_IF/24, $DMZ_IF/24 } to any -> $WAN_IF
################### IP Masquerading #####################
# for WWW
rdr on $WAN_IF proto tcp from any to ($WAN_IF) port www -> $WEB_SRV port www
# for DNS
rdr on $WAN_IF proto { tcp, upd } to ($WAN_IF) port dns -> $NS1_SRV port dns
rdr on $WAN_IF proto { tcp, udp } to ($WAN_IF) port dns -> $NS2_SRV port dns
# for mail
rdr on $WAN_IF proto tcp from any to ($WAN_IF) port { 25, 110 } -> $MAIL_SRV port { 25, 110}
# for FTP Proxy
rdr on $LAN1 proto tcp from any to any port ftp -> $LOOPBACK port ftp-proxy
# for FTP Server
rdr on $WAN_IF proto tcp from any to ($WAN_IF) port ftp -> $FTP_SRV port ftp
# allow ssh to DMZ from LAN1
rdr on $DMZ_IF proto tcp from $LAN1 to $DMZ_IF port ssh -> $DMZ port ssh
################### Default Policy #####################
block in on all
block out on all
################### Improvements #######################
block in quick on $WAN_IF inet6 all
block in quick on $WAN_IF from any to 255.255.255.255
block in quick on $WAN_IF proto tcp from any to any flags FUP
block in quick on $WAN_IF proto tcp from any to any flags SAFRPU
block in quick on $WAN_IF proto tcp from any to any flags SAFRU/SAFRU
block in quick on $WAN_IF proto tcp from any to any flags SF/SF
block in quick on $WAN_IF proto tcp from any to any flags SR/SR
################## Trusted Interfaces ##################
pass in quick on lo0 all
pass out quick on lo0 all
################## Anti-spoof ##########################
block in quick on $WAN_IF from $RESERVED to any
antispoof for { lo0, $LAN1_IF, $WAN_IF, $DMZ_IF }
################## WAN Rules ###########################
pass in quick on $WAN_IF proto tcp from any to $WEB_SRV port www keep state
pass in quick on $WAN_IF proto { tcp, udp } from any to $NS1_SRV port dns keep state
pass in quick on $WAN_IF proto { tcp, udp } from any to $NS2_SRV port dns keep state
pass in quick on $WAN_IF proto tcp from any to $MAIL_SRV port { 25, 110 } keep state
pass in on $WAN_IF inet proto icmp all icmp-type 0 code 0
pass out on $WAN_IF inet proto icmp all icmp-type 8 code 0
pass out on $WAN_IF inet proto tcp to any port { 21, 25, 80, 53, 110 } flags S/SA keep state
pass out on $WAN_IF inet proto udp to any port { 53 } keep state
################### LAN1 Rules ###########################
pass in quick on $LAN1_IF inet proto icmp from any to $LAN1 icmp-type 0 code 0
pass out on $LAN1_IF inet proto icmp from $LAN1 to any icmp-type 8 code 0
pass out on $LAN1_IF inet proto tcp from $LAN1 to any port { 21, 25, 80, 110 } flags S/SA keep state
pass out on $LAN1_IF inet proto udp from $LAN1 to any port { 53 } keep state
################### DMZ Rules ############################
pass in quick on $DMZ_IF proto tcp from any to $WEB_SRV port { 80 } keep state
pass out on $DMZ_IF proto tcp from $WEB_SRV to any port { www } keep state
pass in quick on $DMZ_IF proto tcp from any to $MAIL_SRV port { 25, 110 } keep state
pass out on $DMZ_IF proto tcp from $MAIL_SRV to any port { 25, 110 } keep state
pass in quick on $DMZ_IF proto tcp from any to $NS1_SRV port { dns } keep state
pass out on $DMZ_IF proto tcp from $NS1_SRV to any port { dns } keep state
pass in quick on $DMZ_IF proto tcp from any to $NS2_SRV port { dns } keep state
pass out on $DMZ_IF proto udp from $NS2_SRV to any port { dns } keep state
pass in quick on $DMZ_IF proto udp from any to $NS1_SRV port { 53 } keep state
pass out on $DMZ_IF proto udp from $NS1_SRV to any port { 53 } keep state
pass in quick on $DMZ_IF proto tcp from any to $NS2_SRV port { 53 } keep state
pass out on $DMZ_IF proto udp from $NS2_SRV to any port { 53 } keep state
pass in quick on $DMZ_IF proto tcp from any to $FTP_SRV port { ftp } keep state
pass out on $DMZ_IF proto tcp from $FTP_SRV to any port { ftp } keep state
#################### FTP Proxy ############################
pass in on $WAN_IF proto tcp from any port ftp-data to $WAN_IF port { 55000 >< 57000 } keep state
pass in on $WAN_IF inet proto tcp from any to any port > 49151 keep state