Re: nat-to private address

2014-06-27 Thread Tuyosi Takesima
Hi all .

i add some .

USB memory only 2GB running openbsd works as dhcpd  + nat .

namely
sd1 at scsibus2 targ 1 lun 0:  SCSI0
0/direct removable serial.1d0d0211078C0D1310DE
sd1: 1900MB, 512 bytes/sector, 3891200 sectors
root on sd1a (4ef3e82a493a09dc.a) swap on sd1b dump on sd1b

# df
Filesystem  512-blocks  Used Avail Capacity  Mounted on
/dev/sd1a  3697340481116   303136014%/

and
original pf.conf
+
match out on rum0 from !rum0:network to any nat-to (rum0)
can nat .

it is very convinient to remember.
later think deeply , and rewrite pf.conf.

sorry , I abbrebiate 1 point .
cat /etc/rc.conf.local
dhcpd_flags=""  #NO # for normal use: ""


cat /etc/pf.conf
#   $OpenBSD: pf.conf,v 1.53 2014/01/25 10:28:36 dtucker Exp $

set skip on lo
block return# block stateless traffic
pass# establish keep-state
###
match out on rum0 from !rum0:network to any nat-to (rum0)
###
# rum0 is firewall's ext_if
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010


# pfctl -ss
all tcp 192.168.11.1:22 <- 192.168.11.3:35074   ESTABLISHED:ESTABLISHED
all udp 192.168.11.255:631 <- 192.168.11.3:631   NO_TRAFFIC:SINGLE

# pfctl -sr
block return all
pass all flags S/SA
match out on rum0 inet from ! 192.168.100.0/24 to any nat-to (rum0) round-robin
block return in on ! lo0 proto tcp from any to any port 6000:6010

In linux I pkg_add udhcpd , and iptables is too complex to deal with .
So ,openbssd is greeat .

-
Bye . tuyosi takesima .
http://openbsd-akita.blogspot.jp/2014/06/openbsad-runs-on-usb-memory-no-need-hdd.html



Re: nat-to private address

2014-06-27 Thread Tuyosi Takesima
Hi,all.
I was able to do it thanks to the instruction of misc all
.I report it.
In addition , this openBSD is running  on USB memory only .
sd1 at scsibus2 targ 1 lun 0:  SCSI4
0/direct removable serial.85641000CE38A0VNSTPO
sd1: 30944MB, 512 bytes/sector, 63373312 sectors


OpenBSD
---
more /etc/sysctl.conf
#   $OpenBSD: sysctl.conf,v 1.54 2012/09/20 12:51:43 yasuoka Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time.  See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets

cat /etc/hostname.rum0
#ext_if
dhcp nwid URoad-662EA0 wpakey 04271


cat /etc/hostname.bge0
#int_if
inet 192.168.11.1 255.255.255.0 NONE


cat /etc/dhcpd.interfaces
bge0


cat /etc/dhcpd.conf
option  domain-name-servers 192.168.100.254  ;
subnet 192.168.11.0 netmask 255.255.255.0 {
option routers 192.168.11.1;
range 192.168.11.10 192.168.11.11;

}



cat /etc/pf.conf
# macros
int_if="bge0"
ext_if="rum0"

tcp_services="{ 22, 113 }"
icmp_types="echoreq"

# options
set block-policy return
set loginterface egress
set skip on lo

# FTP Proxy rules
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp divert-to
127.0.0.1 port 8021

# match rules
match out on $ext_if inet from !($ext_if:network) to any nat-to ($ext_if:0)

# filter rules
block in log
pass out quick

antispoof quick for { lo $int_if }

pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if


pfctl -ss
all tcp 192.168.11.1:22 <- 192.168.11.10:34071   ESTABLISHED:ESTABLISHED
all udp 192.168.11.255:631 <- 192.168.11.10:631   NO_TRAFFIC:SINGLE



pfctl -sr
anchor "ftp-proxy/*" all
pass in quick on bge0 inet proto tcp from any to any port = 21 flags
S/SA divert-to 127.0.0.1 port 8021
match out on rum0 inet from ! (rum0:network) to any nat-to (rum0:0)
block return in log all
pass out quick all flags S/SA
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! bge0 inet from 192.168.11.0/24 to any
block drop in quick inet from 192.168.11.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on bge0 inet6 from fe80::21e:c9ff:fe05:78fc to any
pass in on egress inet proto tcp from any to (egress) port = 22 flags S/SA
pass in on egress inet proto tcp from any to (egress) port = 113 flags S/SA
pass in inet proto icmp all icmp-type echoreq
pass in on bge0 all flags S/SA




puppy linux (dhcp client)
---
fconfig -a
eth0  Link encap:Ethernet  HWaddr 00:00:39:E3:38:99
  inet addr:192.168.11.10  Bcast:192.168.11.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:1711 errors:0 dropped:0 overruns:0 frame:0
  TX packets:1990 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:1103913 (1.0 MiB)  TX bytes:313349 (306.0 KiB)

loLink encap:Local Loopback
  inet addr:127.0.0.1  Mask:255.0.0.0
  UP LOOPBACK RUNNING  MTU:16436  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


cat /etc/resolv.conf
# Generated by dhcpcd for interface eth0
nameserver 192.168.100.254 (wifi router's addreee)



ping www.openbsd.org
PING www.openbsd.org (129.128.5.194): 56 data bytes
64 bytes from 129.128.5.194: seq=0 ttl=227 time=311.753 ms
64 bytes from 129.128.5.194: seq=1 ttl=227 time=312.358 ms
^C
--- www.openbsd.org ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 311.753/312.055/312.358 ms



route -e
Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt Iface
192.168.11.0*   255.255.255.0   U 0 0  0 eth0
169.254.0.0 *   255.255.0.0 U 0 0  0 eth0
127.0.0.0   *   255.0.0.0   U 0 0  0 lo
default 192.168.11.10.0.0.0 UG0 0  0 eth0



THANKS! THANKS!

--
tuyosi takesima



Re: nat-to private address

2014-06-26 Thread Boris Goldberg
Hello Tuyosi,

Thursday, June 26, 2014, 5:34:05 AM, you wrote:

TT> accordin to man pf.conf
TT> 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8)
TT> 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12)
TT> 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16)
TT> nat-to is usually applied outbound. If applied inbound, nat-to
TT> to a local IP address is not supported.

  It is confusing, but probably means something else. I have a number of
nat-to to "private" IPs, and they work fine. I'm not running the latest
version, but hope the nat-to behavior hasn't changed (the man hasn't).

 The nat-to could be tricky, you need to make sure packets in question are
going into the interface you want *before* the NAT. Here comes the routing,
which is specially tricky, because in a number of cases running "route add"
isn't enough (or doesn't help at all).

-- 
Best regards,
 Borismailto:bo...@twopoint.com



Re: nat-to private address

2014-06-26 Thread Erling Westenvik
On Thu, Jun 26, 2014 at 12:14:42PM +0300, Gregory Edigarov wrote:
> On 06/26/2014 04:09 AM, Tuyosi Takesima wrote:
>> I tried in various ways, but I can not  do  'nat-to private address'.
>>   I think that nat-to global address is OK  but  nat-to   private address is
>> NO .

Did you enable IP forwarding? What's the output of:

# sysctl net.inet.ip.forwarding



Re: nat-to private address

2014-06-26 Thread Stuart Henderson
On 2014-06-26, Tuyosi Takesima  wrote:
> I pick
> --
> # match rules
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> ---
> from http://www.openbsd.org/faq/pf/example1.html
>
> But, this match rules don't work .
>
> accordin to man pf.conf
> 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8)
> 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12)
> 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16)

> nat-to is usually applied outbound. If applied inbound, nat-to
> to a local IP address is not supported.

"applied outbound" means a rule using "match out"
"applied inbound" means a rule using "match in"

So this does not apply to you anyway because your nat-to rule is
"applied outbound".

"local IP address" means an "IP address on the machine running PF"

If you show output "pfctl -sr" and "ifconfig -A" and
"sysctl net.inet.ip.forwarding" we may be able to help further.



Re: nat-to private address

2014-06-26 Thread Zé Loff
On Thu, Jun 26, 2014 at 07:34:05PM +0900, Tuyosi Takesima wrote:
> I pick
> --
> # match rules
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> ---
> from http://www.openbsd.org/faq/pf/example1.html
> 
> But, this match rules don't work .

Is the interface you're NATing to on the egress group? What if you
replace 'egress' with the appropriate interface's name?

> accordin to man pf.conf
> 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8)
> 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12)
> 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16)
> nat-to is usually applied outbound. If applied inbound, nat-to
> to a local IP address is not supported.

I think you are misinterpreting things. If I understand correctly, in
you case 'outbound' means 'from 192.168.11.x to anywhere', whereas
'inbound' would be 'from anywhere to 192.168.11.y'. So you _do_ want to
NAT outbound traffic, and OpenBSD does that just fine.

-- 



Re: nat-to private address

2014-06-26 Thread Otto Moerbeek
On Thu, Jun 26, 2014 at 07:34:05PM +0900, Tuyosi Takesima wrote:

> I pick
> --
> # match rules
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> ---
> from http://www.openbsd.org/faq/pf/example1.html
> 
> But, this match rules don't work .
> 
> accordin to man pf.conf
> 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8)
> 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12)
> 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16)
> nat-to is usually applied outbound. If applied inbound, nat-to
> to a local IP address is not supported.

In general, nat-to is used for outbound, rdr-to for inbound.

I don't understand what you are trying to achieve. I suggest you study the FAQ.
http://www.openbsd.org/faq/pf/config.html

-Otto



Re: nat-to private address

2014-06-26 Thread Tuyosi Takesima
I pick
--
# match rules
match out on egress inet from !(egress:network) to any nat-to (egress:0)
---
from http://www.openbsd.org/faq/pf/example1.html

But, this match rules don't work .

accordin to man pf.conf
10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8)
172.16.0.0 - 172.31.255.255 (i.e. 172.16/12)
192.168.0.0 - 192.168.255.255 (i.e. 192.168/16)
nat-to is usually applied outbound. If applied inbound, nat-to
to a local IP address is not supported.



Re: nat-to private address

2014-06-26 Thread Otto Moerbeek
On Thu, Jun 26, 2014 at 07:00:22PM +0900, Tuyosi Takesima wrote:

> thanks for your advise
> I write down more detail .
> IN case of Debian , regardless security
> 
> internet
> |
> router
> 192:168.0.1
> |
> 192.168.0.x
> debian firewall :udhcpd&iptables
> 192.168.11.1
> |iptables -t nat -P PREROUTING ACCEPT
> |iptables -t nat -P POSTROUTING ACCEPT
> |
> |
> |
> 192.168.11.y
> linux puppy
> 
> puppy can access intenet  by debian's iptables(like pf).
> I want to do same thing by openbsd .
> But nat-to is forbidden to private address.
> It is embarassing .

Your conlusion is wrong. OpenBSD can do nat to any adress, if it is
available on the interface. 



Re: nat-to private address

2014-06-26 Thread Tuyosi Takesima
thanks for your advise
I write down more detail .
IN case of Debian , regardless security

internet
|
router
192:168.0.1
|
192.168.0.x
debian firewall :udhcpd&iptables
192.168.11.1
|iptables -t nat -P PREROUTING ACCEPT
|iptables -t nat -P POSTROUTING ACCEPT
|
|
|
192.168.11.y
linux puppy

puppy can access intenet  by debian's iptables(like pf).
I want to do same thing by openbsd .
But nat-to is forbidden to private address.
It is embarassing .



Re: nat-to private address

2014-06-26 Thread Gregory Edigarov

On 06/26/2014 04:09 AM, Tuyosi Takesima wrote:

hi,all.
I tried in various ways, but I can not  do  'nat-to private address'.
  I think that nat-to global address is OK  but  nat-to   private address is
NO .

Is there another way (for example rdr, rdr-to) ?
I myself can't do .
sorry for poor english.


That depends on what you want to achieve.
sometimes you just need a route to the right destination  pointing to 
the right interface.


--
With best regards,
Gregory Edigarov



nat-to private address

2014-06-25 Thread Tuyosi Takesima
hi,all.
I tried in various ways, but I can not  do  'nat-to private address'.
 I think that nat-to global address is OK  but  nat-to   private address is
NO .

Is there another way (for example rdr, rdr-to) ?
I myself can't do .
sorry for poor english.