Re: Bidirectional translation for DNS and WWW servers
On 6/5/07, Bray Mailloux [EMAIL PROTECTED] wrote:
Misc Users;
I'm having NAT problems; could someone examine my pf file and make some
recommendations?
This is really incomplete. What are you trying to accomplish? What
works and what doesn't? What are the interfaces for your internal,
dmz, and external networks (e.g. ifconfig output)?
PS: My pf.conf file
#Macros
# 192.168.0.1 subnet
ext_ip=64.142.102.8
int_ip=192.168.0.1
int_block=192.168.0.0/24
#DMZ subnet
#Interface
dmz_ip=192.168.1.1
#DNS 1
scarlett=192.168.1.2
pub_scarlett=64.142.102.9
#DNS 2
shelly=192.168.1.3
pub_shelly=64.142.102.10
#WWW 1
www_ip=192.168.1.4
pub_www=64.142.102.11
#Normalizing
#scrub in all
table natclients { $int_ip, !$scarlett, !$shelly, !$www_ip }
#NAT and Binat
nat on rl0 from $int_block to any - $ext_ip
nat on rl0 from $scarlett to any - $pub_scarlett
nat on rl0 from $shelly to any - $pub_shelly
nat on rl0 from $www_ip to any - $pub_www
#Default block policy
#block all
#Anti-spoofing
#block in quick from urpf-failed
#Traffic passing through
pass in all
#pass out all
#External interfaces
#pass in on rl0 inet proto { tcp, udp } all modulate state
pass out on rl0 proto { tcp, udp, icmp } all modulate state
Bidirectional translation for DNS and WWW servers
# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:50:bf:3a:2e:66
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255
inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1
rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:13:46:30:0b:b2
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
inet6 fe80::213:46ff:fe30:bb2%rl1 prefixlen 64 scopeid 0x2
vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:19:5b:3d:12:12
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::219:5bff:fe3d:1212%vr0 prefixlen 64 scopeid 0x3
pflog0: flags=141UP,RUNNING,PROMISC mtu 33224
enc0: flags=0 mtu 1536
# cat /etc/pf.conf
#Macros
# 192.168.0.1 subnet
ext_ip=64.142.102.8
int_ip=192.168.0.1
int_block=192.168.0.0/24
#DMZ subnet
#Interface
dmz_ip=192.168.1.1
#DNS 1
scarlett=192.168.1.2
pub_scarlett=64.142.102.9
#DNS 2
shelly=192.168.1.3
pub_shelly=64.142.102.10
#WWW 1
www_ip=192.168.1.4
pub_www=64.142.102.11
#Normalizing
#scrub in all
#NAT and Binat
nat on rl0 from $int_block to any - $ext_ip
binat on rl0 from $scarlett to any - $pub_scarlett
binat on rl0 from $shelly to any - $pub_shelly
binat on rl0 from $www_ip to any - $pub_www
#Default block policy
#block all
#Anti-spoofing
#block in quick from urpf-failed
#Traffic passing through
pass in all
pass out all
#External interfaces
#pass in on rl0 inet proto { tcp, udp } all modulate state
#pass out on rl0 proto { tcp, udp, icmp } all modulate state
# dmesg
OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class) 931 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 401108992 (391708K)
avail mem = 357941248 (349552K)
using 4278 buffers containing 20180992 bytes (19708K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 10/14/00, BIOS32 rev. 0 @ 0xfd8a0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd8a0/0x760
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf50/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xa000
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82810E rev 0x03: rng active, 7Kb/sec
vga1 at pci0 dev 1 function 0 Intel 82810E Graphics rev 0x03: aperture at
0xf800, size 0x400
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02
pci1 at ppb0 bus 1
rl0 at pci1 dev 11 function 0 Realtek 8139 rev 0x10: irq 5, address
00:50:bf:3a:2e:66
rlphy0 at rl0 phy 0: RTL internal PHY
rl1 at pci1 dev 13 function 0 D-Link Systems 530TX+ rev 0x10: irq 9,
address 00:13:46:30:0b:b2
rlphy1 at rl1 phy 0: RTL internal PHY
vr0 at pci1 dev 14 function 0 VIA VT6105 RhineIII rev 0x86: irq 10,
address 00:19:5b:3d:12:12
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI
0x004063, model 0x0034
ichpcib0 at pci0 dev 31 function 0 Intel 82801AA LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 82801AA IDE rev 0x02: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: WDC WD100EB-11BHF0
wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SONY, CD-RW CRX320EE, RYK4 SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 31 function 2 Intel 82801AA USB rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
ichiic0 at pci0 dev 31 function 3 Intel 82801AA SMBus rev 0x02: irq 9
iic0 at ichiic0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x290/8: IT87
npx0 at isa0
Re: Bidirectional translation for DNS and WWW servers
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:bf:3a:2e:66 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255 inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1 binat on rl0 from $scarlett to any - $pub_scarlett binat on rl0 from $shelly to any - $pub_shelly binat on rl0 from $www_ip to any - $pub_www the external addresses you're pointing to in your binat statements, you have them configured as aliases to your external interface (rl0), right? (one can't tell from ifconfig output unless you run 'ifconfig rl0' explicitly) --Matt
Re: Bidirectional translation for DNS and WWW servers
Matt Rowley wrote: rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:bf:3a:2e:66 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255 inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1 binat on rl0 from $scarlett to any - $pub_scarlett binat on rl0 from $shelly to any - $pub_shelly binat on rl0 from $www_ip to any - $pub_www the external addresses you're pointing to in your binat statements, you have them configured as aliases to your external interface (rl0), right? (one can't tell from ifconfig output unless you run 'ifconfig rl0' explicitly) --Matt No, I did not. I removed them in the past for reasons unknown. Thank you for your help, everyone.
Re: Bidirectional translation for DNS and WWW servers
On 2007/06/06 14:32, BradenM - Sonoma Computer wrote: ...pretty useful info... Also useful for any suspected PF problems: # pfctl -sa (to check that the ruleset did indeed get loaded, and that PF is enabled - if you can also have some pings running we'll see how state tables look too). # sysctl net.inet.ip.forwarding (you never know...) How does traffic from the outside reach this machine? Is whatever device that's giving it connectivity setup to send traffic for all the relevant IP addresses to this box? You should be able to pfctl -d to disable PF and ping each address from outside. If not there's a more fundamental problem that needs looking at before examining the PF configuration. Fix then enable PF again (pfctl -e). Not relevant to you since you pass all traffic, but other people are reading this who might not: 'log' on all block rules, reload PF, and (ifconfig pflog0 up; tcpdump -nettipflog0)
Bidirectional translation for DNS and WWW servers
Misc Users;
I'm having NAT problems; could someone examine my pf file and make some
recommendations?
(Yes, Nat is well documented. I'm not here because of issues with clarity.
Thanks;
Bray.
PS: My pf.conf file
#Macros
# 192.168.0.1 subnet
ext_ip=64.142.102.8
int_ip=192.168.0.1
int_block=192.168.0.0/24
#DMZ subnet
#Interface
dmz_ip=192.168.1.1
#DNS 1
scarlett=192.168.1.2
pub_scarlett=64.142.102.9
#DNS 2
shelly=192.168.1.3
pub_shelly=64.142.102.10
#WWW 1
www_ip=192.168.1.4
pub_www=64.142.102.11
#Normalizing
#scrub in all
table natclients { $int_ip, !$scarlett, !$shelly, !$www_ip }
#NAT and Binat
nat on rl0 from $int_block to any - $ext_ip
nat on rl0 from $scarlett to any - $pub_scarlett
nat on rl0 from $shelly to any - $pub_shelly
nat on rl0 from $www_ip to any - $pub_www
#Default block policy
#block all
#Anti-spoofing
#block in quick from urpf-failed
#Traffic passing through
pass in all
#pass out all
#External interfaces
#pass in on rl0 inet proto { tcp, udp } all modulate state
pass out on rl0 proto { tcp, udp, icmp } all modulate state
Re: Bidirectional translation for DNS and WWW servers
I'm having NAT problems; could someone examine my pf file and make some recommendations? (Yes, Nat is well documented. I'm not here because of issues with clarity. Thanks; Well, for starters, you have three 'nat' statements that you probably meant to be 'binat' statements. #NAT and Binat nat on rl0 from $int_block to any - $ext_ip nat on rl0 from $scarlett to any - $pub_scarlett nat on rl0 from $shelly to any - $pub_shelly nat on rl0 from $www_ip to any - $pub_www beyond that, you'll have to be more specific as to what your NAT problems are. --Matt
