Re: nat-to private address
Hi all . i add some . USB memory only 2GB running openbsd works as dhcpd + nat . namely sd1 at scsibus2 targ 1 lun 0: SCSI0 0/direct removable serial.1d0d0211078C0D1310DE sd1: 1900MB, 512 bytes/sector, 3891200 sectors root on sd1a (4ef3e82a493a09dc.a) swap on sd1b dump on sd1b # df Filesystem 512-blocks Used Avail Capacity Mounted on /dev/sd1a 3697340481116 303136014%/ and original pf.conf + match out on rum0 from !rum0:network to any nat-to (rum0) can nat . it is very convinient to remember. later think deeply , and rewrite pf.conf. sorry , I abbrebiate 1 point . cat /etc/rc.conf.local dhcpd_flags="" #NO # for normal use: "" cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.53 2014/01/25 10:28:36 dtucker Exp $ set skip on lo block return# block stateless traffic pass# establish keep-state ### match out on rum0 from !rum0:network to any nat-to (rum0) ### # rum0 is firewall's ext_if # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # pfctl -ss all tcp 192.168.11.1:22 <- 192.168.11.3:35074 ESTABLISHED:ESTABLISHED all udp 192.168.11.255:631 <- 192.168.11.3:631 NO_TRAFFIC:SINGLE # pfctl -sr block return all pass all flags S/SA match out on rum0 inet from ! 192.168.100.0/24 to any nat-to (rum0) round-robin block return in on ! lo0 proto tcp from any to any port 6000:6010 In linux I pkg_add udhcpd , and iptables is too complex to deal with . So ,openbssd is greeat . - Bye . tuyosi takesima . http://openbsd-akita.blogspot.jp/2014/06/openbsad-runs-on-usb-memory-no-need-hdd.html
Re: nat-to private address
Hi,all.
I was able to do it thanks to the instruction of misc all
.I report it.
In addition , this openBSD is running on USB memory only .
sd1 at scsibus2 targ 1 lun 0: SCSI4
0/direct removable serial.85641000CE38A0VNSTPO
sd1: 30944MB, 512 bytes/sector, 63373312 sectors
OpenBSD
---
more /etc/sysctl.conf
# $OpenBSD: sysctl.conf,v 1.54 2012/09/20 12:51:43 yasuoka Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time. See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets
cat /etc/hostname.rum0
#ext_if
dhcp nwid URoad-662EA0 wpakey 04271
cat /etc/hostname.bge0
#int_if
inet 192.168.11.1 255.255.255.0 NONE
cat /etc/dhcpd.interfaces
bge0
cat /etc/dhcpd.conf
option domain-name-servers 192.168.100.254 ;
subnet 192.168.11.0 netmask 255.255.255.0 {
option routers 192.168.11.1;
range 192.168.11.10 192.168.11.11;
}
cat /etc/pf.conf
# macros
int_if="bge0"
ext_if="rum0"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
# options
set block-policy return
set loginterface egress
set skip on lo
# FTP Proxy rules
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp divert-to
127.0.0.1 port 8021
# match rules
match out on $ext_if inet from !($ext_if:network) to any nat-to ($ext_if:0)
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
pfctl -ss
all tcp 192.168.11.1:22 <- 192.168.11.10:34071 ESTABLISHED:ESTABLISHED
all udp 192.168.11.255:631 <- 192.168.11.10:631 NO_TRAFFIC:SINGLE
pfctl -sr
anchor "ftp-proxy/*" all
pass in quick on bge0 inet proto tcp from any to any port = 21 flags
S/SA divert-to 127.0.0.1 port 8021
match out on rum0 inet from ! (rum0:network) to any nat-to (rum0:0)
block return in log all
pass out quick all flags S/SA
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! bge0 inet from 192.168.11.0/24 to any
block drop in quick inet from 192.168.11.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on bge0 inet6 from fe80::21e:c9ff:fe05:78fc to any
pass in on egress inet proto tcp from any to (egress) port = 22 flags S/SA
pass in on egress inet proto tcp from any to (egress) port = 113 flags S/SA
pass in inet proto icmp all icmp-type echoreq
pass in on bge0 all flags S/SA
puppy linux (dhcp client)
---
fconfig -a
eth0 Link encap:Ethernet HWaddr 00:00:39:E3:38:99
inet addr:192.168.11.10 Bcast:192.168.11.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1711 errors:0 dropped:0 overruns:0 frame:0
TX packets:1990 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1103913 (1.0 MiB) TX bytes:313349 (306.0 KiB)
loLink encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
cat /etc/resolv.conf
# Generated by dhcpcd for interface eth0
nameserver 192.168.100.254 (wifi router's addreee)
ping www.openbsd.org
PING www.openbsd.org (129.128.5.194): 56 data bytes
64 bytes from 129.128.5.194: seq=0 ttl=227 time=311.753 ms
64 bytes from 129.128.5.194: seq=1 ttl=227 time=312.358 ms
^C
--- www.openbsd.org ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 311.753/312.055/312.358 ms
route -e
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.11.0* 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.11.10.0.0.0 UG0 0 0 eth0
THANKS! THANKS!
--
tuyosi takesima
Re: nat-to private address
Hello Tuyosi, Thursday, June 26, 2014, 5:34:05 AM, you wrote: TT> accordin to man pf.conf TT> 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) TT> 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) TT> 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) TT> nat-to is usually applied outbound. If applied inbound, nat-to TT> to a local IP address is not supported. It is confusing, but probably means something else. I have a number of nat-to to "private" IPs, and they work fine. I'm not running the latest version, but hope the nat-to behavior hasn't changed (the man hasn't). The nat-to could be tricky, you need to make sure packets in question are going into the interface you want *before* the NAT. Here comes the routing, which is specially tricky, because in a number of cases running "route add" isn't enough (or doesn't help at all). -- Best regards, Borismailto:bo...@twopoint.com
Re: nat-to private address
On Thu, Jun 26, 2014 at 12:14:42PM +0300, Gregory Edigarov wrote: > On 06/26/2014 04:09 AM, Tuyosi Takesima wrote: >> I tried in various ways, but I can not do 'nat-to private address'. >> I think that nat-to global address is OK but nat-to private address is >> NO . Did you enable IP forwarding? What's the output of: # sysctl net.inet.ip.forwarding
Re: nat-to private address
On 2014-06-26, Tuyosi Takesima wrote: > I pick > -- > # match rules > match out on egress inet from !(egress:network) to any nat-to (egress:0) > --- > from http://www.openbsd.org/faq/pf/example1.html > > But, this match rules don't work . > > accordin to man pf.conf > 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) > 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) > 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) > nat-to is usually applied outbound. If applied inbound, nat-to > to a local IP address is not supported. "applied outbound" means a rule using "match out" "applied inbound" means a rule using "match in" So this does not apply to you anyway because your nat-to rule is "applied outbound". "local IP address" means an "IP address on the machine running PF" If you show output "pfctl -sr" and "ifconfig -A" and "sysctl net.inet.ip.forwarding" we may be able to help further.
Re: nat-to private address
On Thu, Jun 26, 2014 at 07:34:05PM +0900, Tuyosi Takesima wrote: > I pick > -- > # match rules > match out on egress inet from !(egress:network) to any nat-to (egress:0) > --- > from http://www.openbsd.org/faq/pf/example1.html > > But, this match rules don't work . Is the interface you're NATing to on the egress group? What if you replace 'egress' with the appropriate interface's name? > accordin to man pf.conf > 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) > 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) > 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) > nat-to is usually applied outbound. If applied inbound, nat-to > to a local IP address is not supported. I think you are misinterpreting things. If I understand correctly, in you case 'outbound' means 'from 192.168.11.x to anywhere', whereas 'inbound' would be 'from anywhere to 192.168.11.y'. So you _do_ want to NAT outbound traffic, and OpenBSD does that just fine. --
Re: nat-to private address
On Thu, Jun 26, 2014 at 07:34:05PM +0900, Tuyosi Takesima wrote: > I pick > -- > # match rules > match out on egress inet from !(egress:network) to any nat-to (egress:0) > --- > from http://www.openbsd.org/faq/pf/example1.html > > But, this match rules don't work . > > accordin to man pf.conf > 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) > 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) > 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) > nat-to is usually applied outbound. If applied inbound, nat-to > to a local IP address is not supported. In general, nat-to is used for outbound, rdr-to for inbound. I don't understand what you are trying to achieve. I suggest you study the FAQ. http://www.openbsd.org/faq/pf/config.html -Otto
Re: nat-to private address
I pick -- # match rules match out on egress inet from !(egress:network) to any nat-to (egress:0) --- from http://www.openbsd.org/faq/pf/example1.html But, this match rules don't work . accordin to man pf.conf 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) nat-to is usually applied outbound. If applied inbound, nat-to to a local IP address is not supported.
Re: nat-to private address
On Thu, Jun 26, 2014 at 07:00:22PM +0900, Tuyosi Takesima wrote: > thanks for your advise > I write down more detail . > IN case of Debian , regardless security > > internet > | > router > 192:168.0.1 > | > 192.168.0.x > debian firewall :udhcpd&iptables > 192.168.11.1 > |iptables -t nat -P PREROUTING ACCEPT > |iptables -t nat -P POSTROUTING ACCEPT > | > | > | > 192.168.11.y > linux puppy > > puppy can access intenet by debian's iptables(like pf). > I want to do same thing by openbsd . > But nat-to is forbidden to private address. > It is embarassing . Your conlusion is wrong. OpenBSD can do nat to any adress, if it is available on the interface.
Re: nat-to private address
thanks for your advise I write down more detail . IN case of Debian , regardless security internet | router 192:168.0.1 | 192.168.0.x debian firewall :udhcpd&iptables 192.168.11.1 |iptables -t nat -P PREROUTING ACCEPT |iptables -t nat -P POSTROUTING ACCEPT | | | 192.168.11.y linux puppy puppy can access intenet by debian's iptables(like pf). I want to do same thing by openbsd . But nat-to is forbidden to private address. It is embarassing .
Re: nat-to private address
On 06/26/2014 04:09 AM, Tuyosi Takesima wrote: hi,all. I tried in various ways, but I can not do 'nat-to private address'. I think that nat-to global address is OK but nat-to private address is NO . Is there another way (for example rdr, rdr-to) ? I myself can't do . sorry for poor english. That depends on what you want to achieve. sometimes you just need a route to the right destination pointing to the right interface. -- With best regards, Gregory Edigarov
nat-to private address
hi,all. I tried in various ways, but I can not do 'nat-to private address'. I think that nat-to global address is OK but nat-to private address is NO . Is there another way (for example rdr, rdr-to) ? I myself can't do . sorry for poor english.
