perPLEXed, NAT issues

[Nathaniel Fisher]

Ok so i wanted to sole this myself, anf after about 40 hours of reaserch and trouble shooting im am still not further than when i  started.  In fact i may have taken a step backwards. But more to the point i am having trouble with NAT; and perhaps with my filter rules? Although i did copy pf.conf verbatum from benzebrine i will include the files in the message.  btw using OpenBSD3.1 so i can reach the outside world from the bsd box but not from with in the lan.  dhcp is configured properly with name servers from attbi.  i dont know what im missing, pf is enabled, as is fowarding in sysctl.conf.  Any thought?   first  here is the output of  $ pfctl -s all @0 scrub out all @1 scrub in all @2 block out log all @3 block in log all @4 block return-rst out log inet proto tcp all @5 block return-rst in log inet proto tcp all @6 block return-icmp out log inet proto udp all @7 block return-icmp in log inet proto udp all @8 pass out quick on ep0 all @9 pass out quick on enc0 all @10 pass out quick on lo0 all @11 pass in quick on ep0 all @12 pass in quick on enc0 all @13 pass in quick on lo0 all @14 block return-rst in quick proto tcp from any to any port = 6667 @15 block return-rst in quick proto tcp from any to any port = 6000 @16 block return-rst in quick proto tcp from any to any port = sunrpc @17 block return-icmp in quick proto udp from any to any port = netbios-ns @18 block out quick proto tcp all flags /S @19 block in quick proto tcp all flags /S @20 block out log quick on tl0 inet from ! 12.253.82.148/32 to any @21 block in quick on tl0 inet from any to 62.65.145.31/32 @22 block in quick on tl0 inet from any to 255.255.255.255/32 @23 block in log quick on tl0 inet from 255.255.255.255/32 to any @24 block in log quick on tl0 inet from 192.168.0.0/16 to any @25 block in log quick on tl0 inet from 172.16.0.0/12 to any @26 block in log quick on tl0 inet from 10.0.0.0/8 to any @27 block in log quick on tl0 inet from 127.0.0.0/8 to any @28 pass out on tl0 inet proto icmp from 12.253.82.148/32 to any icmp-type echoreq code 0 keep state @29 pass in on tl0 inet proto icmp from any to 12.253.82.148/32 icmp-type echoreq code 0 keep state @30 pass out on tl0 inet proto udp from 12.253.82.148/32 to any keep state @31 pass out on tl0 inet proto tcp from 12.253.82.148/32 to any flags S/SA keep state nat on tl0 from 192.168.0.0/24 to any -> 12.253.82.148 Status: Enabled Time: 1036493794 Since: 1036420451 Debug: None Bytes In IPv4: 0 Bytes Out: 0 IPv6: 0 Bytes Out: 0 Inbound Packets IPv4: Passed: 0 Dropped: 0 IPv6: Passed: 0 Dropped: 0 Outbound Packets IPv4: Passed: 0 Dropped: 0 IPv6: Passed: 0 Dropped: 0 States: 0 pf Counters state searches 56749 state inserts 558 state removals 558 Counters match 37958 bad-offset 0 fragment 0 short 1 normalize 0 memory 0   #pf.conf ext_if="tl0" int_if="ep0" unroutable="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, \ 192.168.0.0/16, 255.255.255.255/32 }" services_tcp="{ ssh, smtp, submission, domain, auth, www, pop3, > 1024 }" services_udp="{ domain }" ipv6_net="{ 2001:470:1f00:ffff::245, 2001:470:1f00:390:0:0:0:0/64 }" # normalize all packets # scrub out all scrub in all # block and log everything by default # block out log all block in log all block return-rst out log inet proto tcp all block return-rst in log inet proto tcp all block return-icmp out log inet proto udp all block return-icmp in log inet proto udp all # unfiltered interfaces # pass out quick on { lo0, enc0, $int_if } all pass in quick on { lo0, enc0, $int_if } all # ============================================================================= # common rules for all filtered interfaces # ============================================================================= # silently drop noise # block return-rst in quick proto tcp from any to any \ port { 111, 6000, 6667 } block return-icmp in quick proto udp from any to any \ port { 137 } # silently drop TCP non-SYN packets (only SYNs create state) # block out quick proto tcp all flags /S block in quick proto tcp all flags /S # ============================================================================= # external interface (all external IPv4 traffic) # ============================================================================= # block and log outgoing packets that don't have my address as source, they are # either spoofed or something is misconfigured (NAT disabled, for instance), # we want to be nice and don't send out garbage. # block out log quick on $ext_if inet from !$ext_if to any # silently drop broadcasts (ADSL noise) # block in quick on $ext_if inet from any to { 255.255.255.255, 62.65.145.31 } # block and log incoming packets from reserved address space and invalid # addresses, they are either spoofed or misconfigured, we can't reply to # them anyway (hence, no return-rst). # block in log quick on $ext_if inet from $unroutable to any # ICMP # pass out on $ext_if inet proto icmp from $ext_if to any \ icmp-type 8 code 0 keep state pass in on $ext_if inet proto icmp from any to $ext_if \ icmp-type 8 code 0 keep state # UDP # pass out on $ext_if inet proto udp from $ext_if to any \ keep state #pass in on $ext_if inet proto udp from any to $ext_if \ port $services_udp keep state # TCP # pass out on $ext_if inet proto tcp from $ext_if to any \ flags S/SA keep state #pass in on $ext_if inet proto tcp from any to $ext_if \ port $services_tcp flags S/SA keep state   look familiar?   next nat.conf   # $OpenBSD: nat.conf,v 1.4 2001/07/09 23:20:46 millert Exp $ # # See nat.conf(5) for syntax and examples # # replace ext0 with external interface name, 10.0.0.0/8 with internal network # and 192.168.1.1 with external address # # nat: packets going out through ext0 with source address 10.0.0.0/8 will get # translated as coming from 192.168.1.1. a state is created for such packets, # and incoming packets will be redirected to the internal address. nat on tl0 from 192.168.0.0/24 to any -> tl0 # rdr: packets coming in through ext0 with destination 192.168.1.1:1234 will # be redirected to 10.1.1.1:5678. a state is created for such packets, and # outgoing packets will be translated as coming from the external address. # rdr on ext0 proto tcp from any to 192.168.1.1/32 port 1234 -> 10.1.1.1 port 5678