Hello Axton...cool name by the way. I noticed the match statements work for me as well, Perhaps it is required? ________________________________________ From: Axton [axton.gr...@gmail.com] Sent: Thursday, November 03, 2011 2:06 PM To: Bentley, Dain Cc: Stuart Henderson; misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9
On Thu, Nov 3, 2011 at 12:26 PM, Bentley, Dain <dbent...@nas.edu<mailto:dbent...@nas.edu>> wrote: Hello Stuart and thanks for your reply. It still doesn't help, this seems to work but I'm not sure if this is a good config: # NAT RULES match out on $ext tagged LAN nat-to ($ext) # BLOCKING AND PACKET TAGGING pass in on $int from $int_net tag LAN #pass in on $int tag LAN block out on $ext from any to any pass out quick on $ext tagged LAN ________________________________________ From: owner-m...@openbsd.org<mailto:owner-m...@openbsd.org> [owner-m...@openbsd.org<mailto:owner-m...@openbsd.org>] On Behalf Of Stuart Henderson [s...@spacehopper.org<mailto:s...@spacehopper.org>] Sent: Thursday, November 03, 2011 6:53 AM To: misc@openbsd.org<mailto:misc@openbsd.org> Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 you aren't using tagging in your sample. On 2011-11-03, Wesley M. <open...@e-solutions.re<mailto:open...@e-solutions.re>> wrote: > Hi, try this sample > > _int = "re0" > _ext = "fxp1" > int_net = "192.168.200.0/24<http://192.168.200.0/24>" > set block-policy drop > set skip on lo > match in all scrub (no-df max-mss 1440) > match out on $_ext inet from $int_net to any nat-to (egress) > block log all > pass in on $_int inet proto udp from $int_net to any port domain > pass in on $_int inet proto tcp from $int_net to any port \ > { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } > pass out on $_ext inet proto tcp all > pass out on $_ext inet proto udp all > > > All the best, > > Wesley MOUEDINE ASSABY. > > >> _int = "re0" >> _ext = "fxp1" >> int_net = "192.168.200.0/24<http://192.168.200.0/24>" >> >> pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET >> pass in on $_int from $int_net tag LAN_TO_INET >> >> ...... >> >> pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) >> >> >> >> Any reason why at the bottom of my .conf file where nat-to is in my > "quick" >> rule it would work but when it's at the first filter rule it does not? >> I've >> read over the man page and have the book of pf v.2 and still am > confused. >> Any >> tought is greatly appreciated. >> >> >> >> Regards, >> >> Dain I use something like this. The ruleset has been modified before posting, so no guarantees that I didn't mess something up. # interfaces if_lo="lo" if_enc="enc0" if_gif="gif0" if_ext="vlan3" if_int="vlan20" if_srv="vlan40" # interface ip's ip4_int="10.0.0.1" ip6_int="2001:xxxx:xxxx:20::10" ip4_srv="10.0.20.1" ip6_srv="2001:xxxx:xxxx:40::10" # networks net4_int="10.0.0.0/22<http://10.0.0.0/22>" net6_int="2001:xxxx:xxxx:20::/64" net4_srv="10.0.20.0/22<http://10.0.20.0/22>" net6_srv="2001:xxxx:xxxx:40::/64" # other macros icmp_types="echoreq" # default policy block log all # TRANSLATION match out on $if_ext inet tag INT_INET_NAT tagged INT_INET nat-to ($if_ext) static-port match out on $if_ext inet tag SRV_INET_NAT tagged SRV_INET nat-to ($if_ext) # allow router access to all nets (ipv4) pass out on $if_ext proto tcp from $if_ext to any pass out on $if_ext proto udp from $if_ext to any keep state pass out on $if_ext inet proto icmp from $if_ext to any keep state pass out on $if_int proto tcp from $if_int to any pass out on $if_int proto udp from $if_int to any keep state pass out on $if_int inet proto icmp from $if_int to any keep state pass out on $if_int inet6 proto ipv6-icmp from $if_int to any keep state pass out on $if_srv proto tcp from $if_srv to any pass out on $if_srv proto udp from $if_srv to any keep state pass out on $if_srv inet proto icmp from $if_srv to any keep state pass out on $if_srv inet6 proto ipv6-icmp from $if_srv to any keep state # tag packets per network pass in on $if_int proto tcp from { $net4_int, $net6_int } tag INT_INET pass in on $if_int proto udp from { $net4_int, $net6_int } tag INT_INET keep state pass in on $if_int inet proto icmp from $net4_int icmp-type $icmp_types tag INT_INET keep state pass in on $if_int inet6 proto ipv6-icmp tag INT_INET keep state pass in on $if_srv proto tcp from { $net4_srv, $net6_srv } tag SRV_INET pass in on $if_srv proto udp from { $net4_srv, $net6_srv } tag SRV_INET keep state pass in on $if_srv inet proto icmp from $net4_srv icmp-type $icmp_types tag SRV_INET keep state pass in on $if_srv inet6 proto ipv6-icmp tag SRV_INET keep state # policy enforcement # networks to internet (ipv4) pass out quick on $if_ext tagged INT_INET_NAT pass out quick on $if_ext tagged SRV_INET_NAT # internal network to other networks (ipv4) pass out quick on $if_srv tagged INT_INET # server networks to other networks (ipv4) pass out quick on $if_int tagged SRV_INET Axton Grams
