Subject says it. I'm trying to bring up a new firewall with OpenBSD 3.8 + pf to replace the aging Linux one here, and something is not clicking for me between the ears. Right now all I'm trying to do is get NATing working between the internal network and the internet, but I'm not even getting that far. For some reason my initial "nat pass" rules never kick off and the default block rule snarfs the return packets coming back from the net. At least that's what tcpdump seems to be trying to tell me
Setup is simple: internal net with static IPs at 192.168.0.x, external link to the internet with a single static IP. Firewall has xl0 at the net and xl1 on the internal net at 192.168.0.128. Working backwards, here's what I'm seeing from tcpdump when I try to make a simple HTTP request from the internal net and get a reply back: #tcpdump -n -e -ttt -i pflog 0 tcpdump : listening on pflog, link-type PFLOG Dec 13 12:41:02.4133 rule 20/(match) block out on xl1: 64.33.534.90.80 > 192.168.0.129.1110: [|tcp] etc... Here's the (simplified) pf.conf: ---------------- ext_if = "xl0" good_if = "xl1" ext_ip0 = "64.81.173.10" ext_ip1 = "64.81.173.11" good_net = "192.168.0.128/26" good_gw = "192.168.0.128" table <firewall_ips> const { $good_gw, $ext_all } # policies / runtime options set loginterface $good_if set debug loud set state-policy if-bound # scrub scrub in on $ext_if all # Rule 1 (NAT) translate source address for outgoing connections nat pass on $ext_if proto {tcp udp icmp} from $good_net to any -> $ext_ip0 # antispoof pass quick on lo0 all label "pass any->loopback" antispoof log quick for { $good_if $ext_if } inet label "block antispoof" # Rule 1.5 get stuff in to the firewall for NATing pass in quick on $good_if inet from $good_net to any # Rule 2 (global) All other attempts to connect to the firewall itself from other than the good network are denied and logged. block in log quick inet from any to <firewall_ips> label "block in other->fw_any" # Rule 7 (global) Provide for outgoing traffic pass out quick on $ext_if proto tcp all modulate state flags S/SA label "pass out ext " pass out quick on $ext_if proto { udp icmp } all keep state label "pass out ext" pass out quick on $good_if proto tcp from any to $good_net modulate state flags S/SA label "pass out good" pass out quick on $good_if proto udp from any to $good_net keep state label "pass out good" # Rule 99 (global) Anything that falls through is denied and logged. block in log quick inet all label "block in (default)" block out log quick inet all label "block out (default)" ------------- BTW, the "rule 20" referred to in the tcpdump is the final "block out" rule. I actually don't know why I even need the rule #7 rules at all - I would have expected the "nat pass" to have taken care of the outgoing NATable traffic. Regardless, now that they're there, I can't understand why they're getting evaluated (I can see this from pfctl -sa) but not catching the return traffic, and letting it fall through to the default block rule. So, again, I think I'm missing something basic here. Help? thanks ---jon---