Stupid mistake. PF already had state for it passing through the normal
NAT I guess. The next day it worked fine when I tested it again.
On Thu, 8 Nov 2007 06:22:54 -0500
Bill <[EMAIL PROTECTED]> spake:
>
> This in on OpenBSD 4.1...
>
> My fw rules are working fine, well some issues with the cisco vpn
> client getting disconnected every few minutes, but that is another
> story.
>
> I have added an Xbox360 to my network. Part of the whole Microsoft
> experience is that it requires some open NAT thing. I had an extra IP
> address so I want to map it, one to one to my XBOX. From what I
> understood this is a perfect use for Binat.
>
> So I added this rule:
> binat on $ext_if from 5.0.0.8 to any -> $ext_ip_153
>
> But when I watch my traffic the xbox is not being routed out as being
> from 153. It is going out through the normal NAT for everything. I
> can see this with tcpdump on the firewall.
>
> I thought with NAT the first matching rule was used...
>
> I tried it at the beginning and end of the NAT stuff.
>
> Any thoughts on this? Should I just go back and do normal redirection
> to accomplish this goal?
>
>
> Thanks for any advice on this whole thing...
>
> Bill
>
>
>
>
> # MACRO SECTION ########################
> # These are basically just variables we use in the rules
> # by using a $ then the name. Like: $ext_if
> int_if = "sk0"
> ext_if = "sis0"
> openvpn_if = "tun0"
> wifi_if = "fxp0"
>
> openvpn_ip_addresses = "{ 69.9.159.154, 5.0.3.1 }"
> openvpn_port_address = "443"
> openvpn_network = "5.0.99.0/24"
>
> wifi_insecure_network = "5.0.2.0/24"
> wifi_secure_network = "5.0.3.0/24"
>
> localnet = "5.0.0.0/8"
> ftp_proxy = "69.9.159.152"
> xbox360 = "5.0.0.8"
>
> #### 152 is used for outbound traffic (web surfing, ftp, etc)
> ext_ip_152 = "69.9.159.152"
>
> #### 153 is used for inbound public orienteed stuff (public email in, www)
> ext_ip_153 = "69.9.159.153"
>
> #### 154 is used for explosivo orienteed stuff (openvpn, mail getting,
> submission)
> ext_ip_154 = "69.9.159.154"
>
> external_dns_servers = "{78.9.16.30, 78.9.16.29 }"
>
> # Machines that are allowed to SSH to the FW
> admin_addresses = "{ 79.24.33.254, 78.99.159.145 }"
> cisco_vpn_hosts = "{ 79.24.33.226 }"
>
> icmp_types = "{ echoreq, unreach }"
> allowed_udp_services = "{ domain, time }"
>
> # IANA networks we should never see coming in, or going out
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
>
> set block-policy return
> set skip on lo0
> scrub in all
> scrub out all random-id
>
> # This will be used to stop specific IP's as needed
> table <abusive_hosts> persist
>
> table <spamd> persist file "/var/pf/spamd"
> table <spamd-mywhite> persist file "/var/pf/mywhitelist"
> table <spamd-white> persist file "/var/pf/whitelist"
>
> # NAT rules ##########################################
>
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
>
> # This is for the XBOX
> binat on $ext_if from 5.0.0.8 to any -> $ext_ip_153
>
> rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1
> port 8021
>
> # Redirect all outbound web traffic to squid proxy
> rdr pass on $int_if proto tcp from $localnet to any port 80 -> $int_if
> port 3128
>
> # Redirect time server requests to firewall
> rdr pass on $int_if proto udp from $localnet to any port 123 -> $int_if
> port 123
>
> rdr pass on $ext_if proto tcp from any to { 68.99.159.152,
> 68.99.159.153, 68.99.159.154 } port smtp -> 68.99.159.153 po rt 8025
>
> #redirect ntp requests to the firewall
> rdr on $int_if proto udp from $localnet to any port ntp -> $int_if port
> ntp
>
>
> rdr on $int_if proto tcp from $localnet to ! $localnet port 25 ->
> 5.0.0.1
> #no nat on $int_if proto tcp from $int_if to $localnet
>
> # All internal traffic can be sourced to the ext interface
> nat on $ext_if from $localnet to any -> $ext_ip_152
>
> # All wifi_insecure traffic can be sourced to the ext interface
> nat on $ext_if from $wifi_insecure_network to any -> $ext_ip_152
>
>
>
> # PF Rules ##########################################
> antispoof quick for ext_if
> antispoof quick for int_if
>
> block in quick from <abusive_hosts>
>
> block in log on $ext_if
> block in log on $int_if
> block in log on tun0
> block in log on vlan1
> block in log on vlan2
> block in log on vlan3
>
> block out log all
> block in log all
>
> anchor "ftp-proxy/*"
>
> pass out proto tcp from $ftp_proxy to any port 21 keep state
>
> # This rule drops addresses that should not be coming from the internet
> # and prevents egress to those same addresses (IANA Private addr space)
> block drop in quick on $ext_if from $martians to any
> block drop out quick on $ext_if from any to $martians
>
>
> # Rule to allow ssh access to firewall from admin addresses
> pass quick log inet proto tcp from $admin_addresses to $ext_ip_154 port
> ssh pass quick inet proto tcp from $localnet to $int_if port ssh
>
> pass quick proto {tcp,udp} from any to $xbox360
> pass quick proto {tcp,udp} from $xbox360 to any
>
>
> # Allow firewall to:
> # perform domain lookups
> pass out quick on $ext_if proto udp from any to any port domain
> pass out quick on $ext_if proto tcp from any to any port domain
>
> # wifi_insecure_networks to outside
> pass in quick on vlan2 proto tcp from $wifi_insecure_network to !
> $localnet port {80,53} pass in quick on vlan2 proto udp from
> $wifi_insecure_network to $external_dns_servers
>
> # perform ntp checks
> pass out quick on $ext_if proto udp from any to any port ntp keep state
>
> pass in quick on $int_if proto udp from any to any port ntp keep state
> pass out quick on $int_if proto udp from any to any port ntp keep state
>
> # Rules to allow squid to connect out
> pass in quick on $int_if proto tcp from any to $int_if port 3128
> pass out quick on $ext_if inet proto tcp from $ext_ip_152 to any port
> www
>
> # Rules to allow outbound allowed traffic
> pass log inet proto {tcp,udp} from $localnet to any
> pass log inet proto {tcp,udp} from $ext_if to any
>
> # Rules to allow outbound icpm, stop inbound at fw
> pass quick inet proto icmp all icmp-type $icmp_types keep state
>
> # MAIL HANDLING
> # rule to allow outbound mail to be accepted
> pass log quick on $int_if proto tcp from $localnet to 5.0.0.1 port smtp
> pass out log quick on $ext_if proto tcp from any to any port smtp
>
>
> # Rules to support openvpn connection
> pass in log quick on $ext_if inet proto udp from any to
> $openvpn_ip_addresses port $openvpn_port_address pass in log quick on
> vlan3 inet proto udp from any to 5.0.3.1 port $openvpn_port_address
> pass in log quick on $openvpn_if pass out log quick on $int_if from
> $openvpn_network to $localnet pass in log quick on $int_if from any to
> $openvpn_network pass out log quick on $openvpn_if
>
> # Experimental to support cisco vpn client outbound
> pass proto esp from any to any keep state
> pass proto igmp from any to any keep state allow-opts
> pass proto udp from any to any port isakmp keep state
> pass proto udp from any to any port 214 keep state
> pass proto tcp from any to any port 1723 keep state
> pass proto esp from any to any keep state
>
>
>
> _______________________________________________
> Openbsd-newbies mailing list
> [email protected]
> http://mailman.theapt.org/listinfo/openbsd-newbies
_______________________________________________
Openbsd-newbies mailing list
[email protected]
http://mailman.theapt.org/listinfo/openbsd-newbies
