[nycbug-talk] pf nat problem

George Georgalis george
Sat Nov 5 20:36:23 EST 2005 

I've looked in a few docs but I'm not able to get a pf nat gateway
to work...

gateway_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pfspamd_enable="YES"
pfspamd_grey="YES"
pfspamd_flags="-v -g"

(and the forward sysctl is enabled)

host1 has two public IPs on one interface and a 10.0.0.0/24 address on the other.
host2 has one 10.0.0.0/24 and connected by crossover, no firewalling.
host2 is configured to use host1 10.0.0.0/24 address as gateway.
the hosts can ping each other.

below are my current pf rules, I've been experimenting a lot so
they don't look much like the examples I started with anymore.
(addresses changed to protect the ignorant)


# Macros:
lo_if="lo0"
lo_addr="127.0.0.1"
lo_net="127.0.0.0/8"
int_if="vr0"
ext_if="vr1"
internal_net="10.0.0.0/24"
internal_addr="10.0.0.1"
internal_addr2="10.0.0.2"
external_addr="6.50.17.8"
external_addr2="6.50.17.2"
external_tcp="{ ssh, domain, smtp, openvpn }"
external_udp="{ ntp, domain, openvpn }"
external_tcp2="{ http, https, pop3, ssh, openvpn }"
external_udp2="{ openvpn }"

# Normalization:
scrub in all

# Translation:
nat on $ext_if from $internal_net to any -> $external_addr2
rdr on $ext_if proto tcp from any to $external_addr2 port $external_tcp2 -> 10.0.0.2
rdr on $ext_if proto udp from any to $external_addr2 port $external_udp2 -> 10.0.0.2
rdr on $ext_if proto icmp from any to $external_addr2 -> 10.0.0.2

table <spamd> persist
table <spamd-white> persist file "/var/qmail/control/accept"
no rdr on $lo_if from any to any
rdr inet proto tcp from <spamd> to any  port smtp -> $lo_addr port 8025
rdr inet proto tcp from !<spamd-white> to any  port smtp -> $lo_addr port 8025

# Filtering:
#block in all
#pass in all
pass in on $lo_if inet proto tcp from any  to $lo_if port 8025 keep state
pass in on $ext_if inet proto tcp from any  to $lo_if port 8025 keep state
pass in on $ext_if inet proto tcp from any  to $ext_if port $external_tcp keep state
pass in on $ext_if inet proto udp from any  to $ext_if port $external_udp keep state
pass in on $ext_if inet proto icmp from any  to $ext_if keep state
pass in on $int_if inet proto tcp from any  to any  keep state
pass in on $int_if inet proto udp from any  to any  keep state
pass in on $int_if inet proto icmp from any  to any  keep state
pass in on $int_if from $internal_addr2 to any keep state
pass in on $lo_if inet proto { tcp, udp, icmp }  from any  to any  keep state
pass from { $lo_net , $internal_net } to any keep state
pass out log inet proto tcp from any  to any  port smtp label smtp_out
pass out all keep state
pass in log all
pass out log all


pfspamd is working.  I think if I can get the internal host to
ping an external site, I can figure out the rest. What's wrong?

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><
http://galis.org/ cell:646-331-2027 mailto:george at galis.org

More information about the talk mailing list