Re: Trying to get little brain round NAT/Routing & pf

Wed, 27 Jul 2005 03:54:58 -0700 

--On 27 July 2005 10:19 +0100, Gordon Ross wrote:


I'm trying to get a simple pf setup working, but I'm missing
something..

I have three hosts, Alice, Bob & Charlie.

Alice & Bob are SMTP servers and need to talk to each other via SMTP.

Charlie is an OpenBSD 3.7 box with 2 NICs. I *have* enabled ip
routing by doing: "sysctl net.inet.ip.forwarding=1"
How are the interfaces configured? (Best way is to paste output of 'ifconfig -a', and 'netstat -rn -f inet', this is easier to read than a verbal description). 


I have no need to actually NAT the Alice & Bob addresses (unless
anyone says that I should), I'm just using NAT as I assume that I
have to use NAT to allow the packets through PF.
That shouldn't be necessary, if it doesn't work without and this is a simple firewall between the two hosts, something else is likely to be amiss. Removing this is the first thing to try. 


scrub in
binat from $alice to any -> $alice
block all
# Allow packets from Alice to Bob
pass in on $alice_if proto tcp from $alice to $bob port 25 keep state
pass out on $bob_if proto tcp from $alice to $bob port 25 keep state
# Allow packets from Bob to Alice
pass in on $bob_if proto tcp from $bob to $alice port 25 keep state
pass out on $alice_if proto tcp from $bob to $alice port 25 keep state

With this, I can "telnet bob 25" from alice and it works fine.
However, I can't do "telnet alice 25" from bob.
"can't":- It would be helpful to describe exactly what happens - connection times out? Connection immediately rejected? No route to host? Some other error? Copy-and-paste is best.
It might help to include your whole pf.conf (xxx out the first byte of the IP address if you have to, but if you do this it's probably a good idea to double-check for typos first).
Generally, to debug PF rulesets, use 'log' in many places (e.g. every block rule and maybe selected 'pass' rules), then watch the logged packets with 

# tcpdump -n -e -ttt -i pflog0
- this command line is described in the manual page for pflogd(8), and will show you the exact packets which are being blocked so you can see what you need to allow.

Reply via email to