Re: nat-to private address
Hi all . i add some . USB memory only 2GB running openbsd works as dhcpd + nat . namely sd1 at scsibus2 targ 1 lun 0: SCSI0 0/direct removable serial.1d0d0211078C0D1310DE sd1: 1900MB, 512 bytes/sector, 3891200 sectors root on sd1a (4ef3e82a493a09dc.a) swap on sd1b dump on sd1b # df Filesystem 512-blocks Used Avail Capacity Mounted on /dev/sd1a 3697340481116 303136014%/ and original pf.conf + match out on rum0 from !rum0:network to any nat-to (rum0) can nat . it is very convinient to remember. later think deeply , and rewrite pf.conf. sorry , I abbrebiate 1 point . cat /etc/rc.conf.local dhcpd_flags="" #NO # for normal use: "" cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.53 2014/01/25 10:28:36 dtucker Exp $ set skip on lo block return# block stateless traffic pass# establish keep-state ### match out on rum0 from !rum0:network to any nat-to (rum0) ### # rum0 is firewall's ext_if # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # pfctl -ss all tcp 192.168.11.1:22 <- 192.168.11.3:35074 ESTABLISHED:ESTABLISHED all udp 192.168.11.255:631 <- 192.168.11.3:631 NO_TRAFFIC:SINGLE # pfctl -sr block return all pass all flags S/SA match out on rum0 inet from ! 192.168.100.0/24 to any nat-to (rum0) round-robin block return in on ! lo0 proto tcp from any to any port 6000:6010 In linux I pkg_add udhcpd , and iptables is too complex to deal with . So ,openbssd is greeat . - Bye . tuyosi takesima . http://openbsd-akita.blogspot.jp/2014/06/openbsad-runs-on-usb-memory-no-need-hdd.html
Re: nat-to private address
Hi,all. I was able to do it thanks to the instruction of misc all .I report it. In addition , this openBSD is running on USB memory only . sd1 at scsibus2 targ 1 lun 0: SCSI4 0/direct removable serial.85641000CE38A0VNSTPO sd1: 30944MB, 512 bytes/sector, 63373312 sectors OpenBSD --- more /etc/sysctl.conf # $OpenBSD: sysctl.conf,v 1.54 2012/09/20 12:51:43 yasuoka Exp $ # # This file contains a list of sysctl options the user wants set at # boot time. See sysctl(3) and sysctl(8) for more information on # the many available variables. # net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets cat /etc/hostname.rum0 #ext_if dhcp nwid URoad-662EA0 wpakey 04271 cat /etc/hostname.bge0 #int_if inet 192.168.11.1 255.255.255.0 NONE cat /etc/dhcpd.interfaces bge0 cat /etc/dhcpd.conf option domain-name-servers 192.168.100.254 ; subnet 192.168.11.0 netmask 255.255.255.0 { option routers 192.168.11.1; range 192.168.11.10 192.168.11.11; } cat /etc/pf.conf # macros int_if="bge0" ext_if="rum0" tcp_services="{ 22, 113 }" icmp_types="echoreq" # options set block-policy return set loginterface egress set skip on lo # FTP Proxy rules anchor "ftp-proxy/*" pass in quick on $int_if inet proto tcp to any port ftp divert-to 127.0.0.1 port 8021 # match rules match out on $ext_if inet from !($ext_if:network) to any nat-to ($ext_if:0) # filter rules block in log pass out quick antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if pfctl -ss all tcp 192.168.11.1:22 <- 192.168.11.10:34071 ESTABLISHED:ESTABLISHED all udp 192.168.11.255:631 <- 192.168.11.10:631 NO_TRAFFIC:SINGLE pfctl -sr anchor "ftp-proxy/*" all pass in quick on bge0 inet proto tcp from any to any port = 21 flags S/SA divert-to 127.0.0.1 port 8021 match out on rum0 inet from ! (rum0:network) to any nat-to (rum0:0) block return in log all pass out quick all flags S/SA block drop in quick on ! lo inet6 from ::1 to any block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! bge0 inet from 192.168.11.0/24 to any block drop in quick inet from 192.168.11.1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on bge0 inet6 from fe80::21e:c9ff:fe05:78fc to any pass in on egress inet proto tcp from any to (egress) port = 22 flags S/SA pass in on egress inet proto tcp from any to (egress) port = 113 flags S/SA pass in inet proto icmp all icmp-type echoreq pass in on bge0 all flags S/SA puppy linux (dhcp client) --- fconfig -a eth0 Link encap:Ethernet HWaddr 00:00:39:E3:38:99 inet addr:192.168.11.10 Bcast:192.168.11.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1711 errors:0 dropped:0 overruns:0 frame:0 TX packets:1990 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1103913 (1.0 MiB) TX bytes:313349 (306.0 KiB) loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) cat /etc/resolv.conf # Generated by dhcpcd for interface eth0 nameserver 192.168.100.254 (wifi router's addreee) ping www.openbsd.org PING www.openbsd.org (129.128.5.194): 56 data bytes 64 bytes from 129.128.5.194: seq=0 ttl=227 time=311.753 ms 64 bytes from 129.128.5.194: seq=1 ttl=227 time=312.358 ms ^C --- www.openbsd.org ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 311.753/312.055/312.358 ms route -e Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.11.0* 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.11.10.0.0.0 UG0 0 0 eth0 THANKS! THANKS! -- tuyosi takesima
Re: nat-to private address
Hello Tuyosi, Thursday, June 26, 2014, 5:34:05 AM, you wrote: TT> accordin to man pf.conf TT> 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) TT> 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) TT> 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) TT> nat-to is usually applied outbound. If applied inbound, nat-to TT> to a local IP address is not supported. It is confusing, but probably means something else. I have a number of nat-to to "private" IPs, and they work fine. I'm not running the latest version, but hope the nat-to behavior hasn't changed (the man hasn't). The nat-to could be tricky, you need to make sure packets in question are going into the interface you want *before* the NAT. Here comes the routing, which is specially tricky, because in a number of cases running "route add" isn't enough (or doesn't help at all). -- Best regards, Borismailto:bo...@twopoint.com
Re: nat-to private address
On Thu, Jun 26, 2014 at 12:14:42PM +0300, Gregory Edigarov wrote: > On 06/26/2014 04:09 AM, Tuyosi Takesima wrote: >> I tried in various ways, but I can not do 'nat-to private address'. >> I think that nat-to global address is OK but nat-to private address is >> NO . Did you enable IP forwarding? What's the output of: # sysctl net.inet.ip.forwarding
Re: nat-to private address
On 2014-06-26, Tuyosi Takesima wrote: > I pick > -- > # match rules > match out on egress inet from !(egress:network) to any nat-to (egress:0) > --- > from http://www.openbsd.org/faq/pf/example1.html > > But, this match rules don't work . > > accordin to man pf.conf > 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) > 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) > 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) > nat-to is usually applied outbound. If applied inbound, nat-to > to a local IP address is not supported. "applied outbound" means a rule using "match out" "applied inbound" means a rule using "match in" So this does not apply to you anyway because your nat-to rule is "applied outbound". "local IP address" means an "IP address on the machine running PF" If you show output "pfctl -sr" and "ifconfig -A" and "sysctl net.inet.ip.forwarding" we may be able to help further.
Re: nat-to private address
On Thu, Jun 26, 2014 at 07:34:05PM +0900, Tuyosi Takesima wrote: > I pick > -- > # match rules > match out on egress inet from !(egress:network) to any nat-to (egress:0) > --- > from http://www.openbsd.org/faq/pf/example1.html > > But, this match rules don't work . Is the interface you're NATing to on the egress group? What if you replace 'egress' with the appropriate interface's name? > accordin to man pf.conf > 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) > 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) > 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) > nat-to is usually applied outbound. If applied inbound, nat-to > to a local IP address is not supported. I think you are misinterpreting things. If I understand correctly, in you case 'outbound' means 'from 192.168.11.x to anywhere', whereas 'inbound' would be 'from anywhere to 192.168.11.y'. So you _do_ want to NAT outbound traffic, and OpenBSD does that just fine. --
Re: nat-to private address
On Thu, Jun 26, 2014 at 07:34:05PM +0900, Tuyosi Takesima wrote: > I pick > -- > # match rules > match out on egress inet from !(egress:network) to any nat-to (egress:0) > --- > from http://www.openbsd.org/faq/pf/example1.html > > But, this match rules don't work . > > accordin to man pf.conf > 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) > 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) > 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) > nat-to is usually applied outbound. If applied inbound, nat-to > to a local IP address is not supported. In general, nat-to is used for outbound, rdr-to for inbound. I don't understand what you are trying to achieve. I suggest you study the FAQ. http://www.openbsd.org/faq/pf/config.html -Otto
Re: nat-to private address
I pick -- # match rules match out on egress inet from !(egress:network) to any nat-to (egress:0) --- from http://www.openbsd.org/faq/pf/example1.html But, this match rules don't work . accordin to man pf.conf 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) nat-to is usually applied outbound. If applied inbound, nat-to to a local IP address is not supported.
Re: nat-to private address
On Thu, Jun 26, 2014 at 07:00:22PM +0900, Tuyosi Takesima wrote: > thanks for your advise > I write down more detail . > IN case of Debian , regardless security > > internet > | > router > 192:168.0.1 > | > 192.168.0.x > debian firewall :udhcpd&iptables > 192.168.11.1 > |iptables -t nat -P PREROUTING ACCEPT > |iptables -t nat -P POSTROUTING ACCEPT > | > | > | > 192.168.11.y > linux puppy > > puppy can access intenet by debian's iptables(like pf). > I want to do same thing by openbsd . > But nat-to is forbidden to private address. > It is embarassing . Your conlusion is wrong. OpenBSD can do nat to any adress, if it is available on the interface.
Re: nat-to private address
thanks for your advise I write down more detail . IN case of Debian , regardless security internet | router 192:168.0.1 | 192.168.0.x debian firewall :udhcpd&iptables 192.168.11.1 |iptables -t nat -P PREROUTING ACCEPT |iptables -t nat -P POSTROUTING ACCEPT | | | 192.168.11.y linux puppy puppy can access intenet by debian's iptables(like pf). I want to do same thing by openbsd . But nat-to is forbidden to private address. It is embarassing .
Re: nat-to private address
On 06/26/2014 04:09 AM, Tuyosi Takesima wrote: hi,all. I tried in various ways, but I can not do 'nat-to private address'. I think that nat-to global address is OK but nat-to private address is NO . Is there another way (for example rdr, rdr-to) ? I myself can't do . sorry for poor english. That depends on what you want to achieve. sometimes you just need a route to the right destination pointing to the right interface. -- With best regards, Gregory Edigarov
nat-to private address
hi,all. I tried in various ways, but I can not do 'nat-to private address'. I think that nat-to global address is OK but nat-to private address is NO . Is there another way (for example rdr, rdr-to) ? I myself can't do . sorry for poor english.