Well guys, I snipped out the stupid priv_nets declaration and all of a
sudden, I can ping from the firewall to internet. Voila! Then, taking
the advice of stuart for nat lines, I followed exactly what he said
and NAT there was on my laptop. I'm getting internet. This is wicked
cool. Thank you guys, so much!
Um, just to finish the job, can you guys just look at the filter rules
and the rdr lines to check if it actually works? The purpose of
<authorized_hosts> is to block out !<authorized_hosts> and rdr them to
localhost web server that gives a denial page. Also, how would enable
services like bittorrent for the internal network (port forwarding I
think they call it). Thanks guys!
On 6/22/05, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> --On 22 June 2005 09:03 -0400, Vivek Ayer wrote:
>
> > Once I enable pf with the given ruleset, I can't all of a sudden ping
> > to domains.
>
> PF is doing exactly what you told it ...
>
> >> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8 }"
> >> [...]
> >> block drop in quick on $ext_if from $priv_nets to any
> >> block drop out quick on $ext_if from any to $priv_nets
>
> If your ISP is using addresses within 192.168/16 for their
> infrastructure, you can't block access to those addresses.
>
>
> > So, now the question is, can I do NAT from one interface to two
> > internal interfaces? Or, would I have to modify it and in doing ext_if
> > --> NAT --> int_if --> NAT --> wir_if (wireless interface)?
> [...]
> > nat on $ext_if from !($ext_if) -> ($ext_if:0)
> >
> > what does this exactly do? Looking at it, I don't see int_if and
> > wir_if to which it does nat to.
>
> ($ext_if) means "the IP address of $ext_if", in your case dc1.
> !($ext_if) means the opposite of the above: any IP address *other than*
> the address of dc1.
>
> So, this NATs traffic from any addresses not assigned to your external
> interface. Alternatively you could use something like,
>
> nat on $ext_if from $int_if:network -> ($ext_if:0)
> nat on $ext_if from $wir_if:network -> ($ext_if:0)
>
>
> > Also, in dhcpd.conf, do I need to have the statement:
> >
> > option domain-name-servers 192.168.1.1
> >
> > to tell the dhcp clients of the internal interfaces that the
> > nameserver they will be using is the ISP's?
>
> Yes (unless you run a forwarder yourself, or configure the clients DNS
> resolver addresses manually).
>
>
> > Sorry to bother you guys like this. I'm a newbie in OpenBSD as well as
> > pf. Thanks a lot, though.
>
> With <http://www.openbsd.org/faq/pf/> and pf.conf(5) by your side,
> start minimal (maybe just a nat rule, "pass on {$int_if, $wir_if}"
> "block in on $ext_if", "pass out on $ext_if keep state") and then
> gradually refine. Make one change at a time, test it and understand
> what it does before moving on to the next.
>
> Using 'log' in your rules (both "pass" and "block" rules at first) and
> monitoring with tcpdump (as described in pflogd(8)) will show you the
> effects of any new rules which you try. You'll also find "pfctl -sr -v
> -v" useful in debugging firewall rules, and "pfctl -sn -v -v" useful in
> debugging nat/rdr.
