i must be pretty damn stupid that i can't regarless of all howto's on
google set up my own dmz :/
anyway this is the situation: i am behind some router i do not
administer, and i would like to play with pf on my own. with the help
of google i managed to set up a more-or-less trivial NAT on rl1, now i
connected re0 to another machine and i would like that machine to be
in DMZ.
some info:
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:08:a1:7e:e5:8f
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::208:a1ff:fe7e:e58f%rl0 prefixlen 64 scopeid 0x1
inet 192.168.1.214 netmask 0xffffff00 broadcast 192.168.1.255
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:40:f4:5f:b8:6c
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::240:f4ff:fe5f:b86c%rl1 prefixlen 64 scopeid 0x2
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:08:54:19:dd:9e
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::208:54ff:fe19:dd9e%re0 prefixlen 64 scopeid 0x3
inet 172.16.1.1 netmask 0xffff0000 broadcast 172.16.255.255
the machine connected to rl1 has ip 192.168.2.32, the
machine that i would like to put in DMZ has ip 172.16.1.2.
some of the comments are either my earlier experimenting or trying to
get this thing done.
# cat /etc/pf.conf
#marcos
int_if = "rl1"
ext_if = "rl0"
dmz_if = "re0"
table <martians> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8 }
#options
set block-policy return
set skip on lo0
#normalization, supposedly prevents some attacks
scrub in all
#translation, provide intenrnet to machines connecte to me
nat inet from $int_if:network to ! $int_if:network -> ($ext_if)
#nat on $ext_if inet from 192.168.2.0/24 -> 192.168.1.0/24
rdr on $ext_if proto tcp from any to any port 2222 -> 192.168.2.32
##ssh port forward
nat inet from $dmz_if:network to ! $dmz_if:network -> ($ext_if)
#nat on $ext_if inet from 172.168.1.2 -> 192.168.1.0/24
##default deny policy
block all
#sanity check
#block quick on $ext_if inet from <martians>
#block in quick on $ext_if inet from <martians>
#dmz check
#block inet on $dmz_if from to 192.168.0.0/16
#the two sshs
pass in quick proto tcp to port { 22, 2222 } keep state
#and the pings
pass inet proto icmp all icmp-type echoreq keep state
#dns, dhcpd
pass inet proto { tcp, udp } from any to any port { domain, bootps,
bootpc } keep state
i alos have a question, does the sanity check fail because i am
behind another router and so i get already translated packages which
have <martians> ip's?
any tips/links/info on how to do that appreciated.
