[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipnat rdr rule

To: "List -- OpenBSD" <misc@openbsd.org>
Subject: Re: ipnat rdr rule
From: "Jan Johansson" <diib@usa.net>
Date: Wed, 1 Mar 2000 21:17:30 +0100

Goodevening.

Wrinting this while installing M$ SQL 7 (must have some good stuff 
too.)

When you only have a few ports you want through rdr i safer. Bimap 
opens your box for all kinds of attacks and you better be good att ipf 
rule setting. Like stopping port 139 if you have a Windows box on the 
inside.

Are you reaching the machine 9.9.9.9? I think you say you don't.

Have you edited the /etc/sysctl.conf to "net.inet.ip.forwarding=1"? 
(This is in the ipnat manpage).

Double check for IPF=YES and IPNAT=YES in /etc/rc.conf

I don't know if your ipf.rules is valid default is 
pass in from any to any
pass out from any to any

And also as somone said try having the rdr before the map. Mine is so..

Thease are my guesses..

//Jan J


> --- craig manning <craigmanning@TrellisSoftware.com> wrote:
> > I'm trying to "punch" a set of holes for SMTP and HTTP through an
> > OpenBSD 2.6 release firewall.  The setup is fairly simple:
> > 
> > ipnat -l shows that the rdr is invoked (I believe) but I don't get
> > through. Am I missing something very simple (ordering, etc.)?
> > 
> > -----------
> > List of active MAP/Redirect filters:
> > map fxp0 192.168.0.0/16  -> 9.9.9.9/32  portmap tcp/udp 30000:65000
> > map fxp0 192.168.0.0/16  -> 9.9.9.9/32
> > rdr fxp0 9.9.9.9/32 port 25 -> 192.168.2.20 port 25
> >  tcp rdr fxp0 9.9.9.9/32 port 80 -> 192.168.4.7
> > port 80 tcp
> > 
> > List of active sessions:
> > RDR 192.168.2.20    25    <- -> 165.252.72.13   25    [165.252.72.4
> > 62930]
> > 
> > --------------------
> > fxp0: public interface  9.9.9.9
> > fxp1: private interface 192.168.2.0 subnet
> > fxp2: private interface 192.168.4.0 subnet
> > 
> > ipf.rules: <greatly simplified for debugging>
> > pass in all
> > pass out all
> > 
> > ipnat.rules:
> > map fxp0 192.168.0.0/16 -> 9.9.9.9/32 portmap tcp/udp 30000:65000 map
> > fxp0 192.168.0.0/16 -> 9.9.9.9/32             # handle ICMP, etc. rdr
> > fxp0 9.9.9.9/32 port 25 -> 192.168.2.20 port 25 rdr fxp0 9.9.9.9/32
> > port 80 -> 192.168.4.7  port 80 -------------------
> > 
> > --Craig Manning
> > 
> > 
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com

Prev by Date: Bad news about OpenBSD mirror...
Next by Date: fat32
Prev by thread: Re: Bad news about OpenBSD mirror...
Next by thread: fat32
Index(es):
- Date
- Thread