This in on OpenBSD 4.1...
My fw rules are working fine, well some issues with the cisco vpn
client getting disconnected every few minutes, but that is another
story.
I have added an Xbox360 to my network. Part of the whole Microsoft
experience is that it requires some open NAT thing. I had an extra IP
address so I want to map it, one to one to my XBOX. From what I
understood this is a perfect use for Binat.
So I added this rule:
binat on $ext_if from 5.0.0.8 to any -> $ext_ip_153
But when I watch my traffic the xbox is not being routed out as being
from 153. It is going out through the normal NAT for everything. I
can see this with tcpdump on the firewall.
I thought with NAT the first matching rule was used...
I tried it at the beginning and end of the NAT stuff.
Any thoughts on this? Should I just go back and do normal redirection
to accomplish this goal?
Thanks for any advice on this whole thing...
Bill
# MACRO SECTION ########################
# These are basically just variables we use in the rules
# by using a $ then the name. Like: $ext_if
int_if = "sk0"
ext_if = "sis0"
openvpn_if = "tun0"
wifi_if = "fxp0"
openvpn_ip_addresses = "{ 69.9.159.154, 5.0.3.1 }"
openvpn_port_address = "443"
openvpn_network = "5.0.99.0/24"
wifi_insecure_network = "5.0.2.0/24"
wifi_secure_network = "5.0.3.0/24"
localnet = "5.0.0.0/8"
ftp_proxy = "69.9.159.152"
xbox360 = "5.0.0.8"
#### 152 is used for outbound traffic (web surfing, ftp, etc)
ext_ip_152 = "69.9.159.152"
#### 153 is used for inbound public orienteed stuff (public email in, www)
ext_ip_153 = "69.9.159.153"
#### 154 is used for explosivo orienteed stuff (openvpn, mail getting,
submission)
ext_ip_154 = "69.9.159.154"
external_dns_servers = "{78.9.16.30, 78.9.16.29 }"
# Machines that are allowed to SSH to the FW
admin_addresses = "{ 79.24.33.254, 78.99.159.145 }"
cisco_vpn_hosts = "{ 79.24.33.226 }"
icmp_types = "{ echoreq, unreach }"
allowed_udp_services = "{ domain, time }"
# IANA networks we should never see coming in, or going out
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
set block-policy return
set skip on lo0
scrub in all
scrub out all random-id
# This will be used to stop specific IP's as needed
table <abusive_hosts> persist
table <spamd> persist file "/var/pf/spamd"
table <spamd-mywhite> persist file "/var/pf/mywhitelist"
table <spamd-white> persist file "/var/pf/whitelist"
# NAT rules ##########################################
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# This is for the XBOX
binat on $ext_if from 5.0.0.8 to any -> $ext_ip_153
rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1
port 8021
# Redirect all outbound web traffic to squid proxy
rdr pass on $int_if proto tcp from $localnet to any port 80 -> $int_if
port 3128
# Redirect time server requests to firewall
rdr pass on $int_if proto udp from $localnet to any port 123 -> $int_if
port 123
rdr pass on $ext_if proto tcp from any to { 68.99.159.152,
68.99.159.153, 68.99.159.154 } port smtp -> 68.99.159.153 po rt 8025
#redirect ntp requests to the firewall
rdr on $int_if proto udp from $localnet to any port ntp -> $int_if port
ntp
rdr on $int_if proto tcp from $localnet to ! $localnet port 25 ->
5.0.0.1
#no nat on $int_if proto tcp from $int_if to $localnet
# All internal traffic can be sourced to the ext interface
nat on $ext_if from $localnet to any -> $ext_ip_152
# All wifi_insecure traffic can be sourced to the ext interface
nat on $ext_if from $wifi_insecure_network to any -> $ext_ip_152
# PF Rules ##########################################
antispoof quick for ext_if
antispoof quick for int_if
block in quick from <abusive_hosts>
block in log on $ext_if
block in log on $int_if
block in log on tun0
block in log on vlan1
block in log on vlan2
block in log on vlan3
block out log all
block in log all
anchor "ftp-proxy/*"
pass out proto tcp from $ftp_proxy to any port 21 keep state
# This rule drops addresses that should not be coming from the internet
# and prevents egress to those same addresses (IANA Private addr space)
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
# Rule to allow ssh access to firewall from admin addresses
pass quick log inet proto tcp from $admin_addresses to $ext_ip_154 port
ssh pass quick inet proto tcp from $localnet to $int_if port ssh
pass quick proto {tcp,udp} from any to $xbox360
pass quick proto {tcp,udp} from $xbox360 to any
# Allow firewall to:
# perform domain lookups
pass out quick on $ext_if proto udp from any to any port domain
pass out quick on $ext_if proto tcp from any to any port domain
# wifi_insecure_networks to outside
pass in quick on vlan2 proto tcp from $wifi_insecure_network to !
$localnet port {80,53} pass in quick on vlan2 proto udp from
$wifi_insecure_network to $external_dns_servers
# perform ntp checks
pass out quick on $ext_if proto udp from any to any port ntp keep state
pass in quick on $int_if proto udp from any to any port ntp keep state
pass out quick on $int_if proto udp from any to any port ntp keep state
# Rules to allow squid to connect out
pass in quick on $int_if proto tcp from any to $int_if port 3128
pass out quick on $ext_if inet proto tcp from $ext_ip_152 to any port
www
# Rules to allow outbound allowed traffic
pass log inet proto {tcp,udp} from $localnet to any
pass log inet proto {tcp,udp} from $ext_if to any
# Rules to allow outbound icpm, stop inbound at fw
pass quick inet proto icmp all icmp-type $icmp_types keep state
# MAIL HANDLING
# rule to allow outbound mail to be accepted
pass log quick on $int_if proto tcp from $localnet to 5.0.0.1 port smtp
pass out log quick on $ext_if proto tcp from any to any port smtp
# Rules to support openvpn connection
pass in log quick on $ext_if inet proto udp from any to
$openvpn_ip_addresses port $openvpn_port_address pass in log quick on
vlan3 inet proto udp from any to 5.0.3.1 port $openvpn_port_address
pass in log quick on $openvpn_if pass out log quick on $int_if from
$openvpn_network to $localnet pass in log quick on $int_if from any to
$openvpn_network pass out log quick on $openvpn_if
# Experimental to support cisco vpn client outbound
pass proto esp from any to any keep state
pass proto igmp from any to any keep state allow-opts
pass proto udp from any to any port isakmp keep state
pass proto udp from any to any port 214 keep state
pass proto tcp from any to any port 1723 keep state
pass proto esp from any to any keep state
_______________________________________________
Openbsd-newbies mailing list
[email protected]
http://mailman.theapt.org/listinfo/openbsd-newbies
