Trying to get little brain round NAT/Routing pf
I'm trying to get a simple pf setup working, but I'm missing something.. I have three hosts, Alice, Bob Charlie. Alice Bob are SMTP servers and need to talk to each other via SMTP. Charlie is an OpenBSD 3.7 box with 2 NICs. I *have* enabled ip routing by doing: sysctl net.inet.ip.forwarding=1 I have no need to actually NAT the Alice Bob addresses (unless anyone says that I should), I'm just using NAT as I assume that I have to use NAT to allow the packets through PF. In my /etc/pf.conf I've got: scrub in binat from $alice to any - $alice block all #Allow packets from Alice to Bob pass in on $alice_if proto tcp from $alice to $bob port 25 keep state pass out on $bob_if proto tcp from $alice to $bob port 25 keep state #Allow packets from Bob to Alice pass in on $bob_if proto tcp from $bob to $alice port 25 keep state pass out on $alice_if proto tcp from $bob to $alice port 25 keep state With this, I can telnet bob 25 from alice and it works fine. However, I can't do telnet alice 25 from bob. I tried adding the line: binat from $bob to any - $bob but that didn't appear to make any difference. If I disable pf, then everything works fine (so I know routing tables, etc are correct) Can someone help me out here ? Am I aproaching this the right way or is there a better way to do this ? Thanks, GTG Gordon Ross, Network Manager/Rheolwr Rhydwaith Countryside Council for Wales/Cyngor Cefn Gwlad Cymru
Re: Trying to get little brain round NAT/Routing pf
--On 27 July 2005 10:19 +0100, Gordon Ross wrote: I'm trying to get a simple pf setup working, but I'm missing something.. I have three hosts, Alice, Bob Charlie. Alice Bob are SMTP servers and need to talk to each other via SMTP. Charlie is an OpenBSD 3.7 box with 2 NICs. I *have* enabled ip routing by doing: sysctl net.inet.ip.forwarding=1 How are the interfaces configured? (Best way is to paste output of 'ifconfig -a', and 'netstat -rn -f inet', this is easier to read than a verbal description). I have no need to actually NAT the Alice Bob addresses (unless anyone says that I should), I'm just using NAT as I assume that I have to use NAT to allow the packets through PF. That shouldn't be necessary, if it doesn't work without and this is a simple firewall between the two hosts, something else is likely to be amiss. Removing this is the first thing to try. scrub in binat from $alice to any - $alice block all # Allow packets from Alice to Bob pass in on $alice_if proto tcp from $alice to $bob port 25 keep state pass out on $bob_if proto tcp from $alice to $bob port 25 keep state # Allow packets from Bob to Alice pass in on $bob_if proto tcp from $bob to $alice port 25 keep state pass out on $alice_if proto tcp from $bob to $alice port 25 keep state With this, I can telnet bob 25 from alice and it works fine. However, I can't do telnet alice 25 from bob. can't:- It would be helpful to describe exactly what happens - connection times out? Connection immediately rejected? No route to host? Some other error? Copy-and-paste is best. It might help to include your whole pf.conf (xxx out the first byte of the IP address if you have to, but if you do this it's probably a good idea to double-check for typos first). Generally, to debug PF rulesets, use 'log' in many places (e.g. every block rule and maybe selected 'pass' rules), then watch the logged packets with # tcpdump -n -e -ttt -i pflog0 - this command line is described in the manual page for pflogd(8), and will show you the exact packets which are being blocked so you can see what you need to allow.
Re: Trying to get little brain round NAT/Routing pf - SOLVED
Stuart Henderson [EMAIL PROTECTED] 27/07/2005 11:37:54 --On 27 July 2005 10:19 +0100, Gordon Ross wrote: I'm trying to get a simple pf setup working, but I'm missing something.. I have three hosts, Alice, Bob Charlie. Alice Bob are SMTP servers and need to talk to each other via SMTP. Charlie is an OpenBSD 3.7 box with 2 NICs. I *have* enabled ip routing by doing: sysctl net.inet.ip.forwarding=1 I have no need to actually NAT the Alice Bob addresses (unless anyone says that I should), I'm just using NAT as I assume that I have to use NAT to allow the packets through PF. That shouldn't be necessary, if it doesn't work without and this is a simple firewall between the two hosts, something else is likely to be amiss. Removing this is the first thing to try. After setting up the logging, I saw which line was failing. After much head scratching, I noticed a silly little typo in an IP address (I'd reversed two digits) Fixed that and it all works fine. Thanks, GTG
