[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: simple IPF and IPNAT but problem between chair and keyboard

To: "Will Macdonald" <wfm@macscan.co.uk>, <misc@openbsd.org>
Subject: Re: simple IPF and IPNAT but problem between chair and keyboard
From: "Bruce Bauer" <bruce@specialdevices.com>
Date: Tue, 1 May 2001 09:31:33 -0700
Organization: Special Devices, Inc.

It's not clear whether these rules worked on your 2.8 machine or 
not.

In General:

IPNAT rule order.

IPNAT rules are first match and quit EXCEPT they are also 
largest netmask first.  This means that all x/32 rules are 
evaluated before any others.  So in your case the order is not 
important.

IPNAT happens before IPF.

Change your rules to filter on your private addresses.
To verify use ipfstat -hio to see which of your rules are actually 
being matched.

Bruce

> I installed the 2.9 snapshot on a machine yesterday, and configures using
> the same rules I had applied to a 2.8 machine recently, and am having
> serious problems use rdr to send SMTP/www traffice to a machine on internal
> network.
> 
> I have simplified the rules as much as possible, but no joy. I've also read
> through www.obfuscation.org/ipf without any luck.
> 
> Can someone see what is wrong ?? I have modified the file sysctl.conf and
> rc.conf accordingly. All traffic behind the NAT machine works OK, but when I
> try to telnet to port 25 from outside i get no response.
> 
> In the ipnat.rules file I tried having the map rules after the rdr rules,
> but no luck either way.
> /etc/ipnat.rules
> map ep0 10.1.1.7/24 -> 123.123.123.123/32 portmap tcp/udp 1025:65000
> map ep0 10.1.1.7/24 -> 123.123.123.123/32
> 
> #map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
> rdr ep0 123.123.123.123/32 port 25 -> 10.1.1.1 port 25
> rdr ep0 123.123.123.123/32 port 80 -> 10.1.1.1 port 80
> rdr ep0 123.123.123.123/32 port 110 -> 10.1.1.1 port 110
> rdr ep0 123.123.123.123/32 port 143 -> 10.1.1.1 port 143
> rdr ep0 123.123.123.123/32 port 993 -> 10.1.1.1 port 993
> 
> 
> /etc/ipf.rules
> pass in from any to any
> pass out from any to any
> 
> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port = 25 keep
> state
> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port = 80 keep
> state
> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port = 143
> keep state
> pass out quick on ep0 proto tcp from any to any keep state
> 


-*-*-*-*-*-*-*-*-*-*-*-*-*-

All opinions are my own.
All advice is worth what you pay for it.
A little experience often upsets a lot of theory.

-*-*-*-*-*-*-*-*-*-*-*-*-*-

Follow-Ups:
- Re: simple IPF and IPNAT but problem between chair and keyboard
  - From: "Gary MacKay" <Gary@EdisonInfo.com>

References:
- simple IPF and IPNAT but problem between chair and keyboard
  - From: "Will Macdonald" <wfm@macscan.co.uk>

Prev by Date: Re: (VERY OT) Date last logged in
Next by Date: Re: ipnat with ipx?
Prev by thread: simple IPF and IPNAT but problem between chair and keyboard
Next by thread: Re: simple IPF and IPNAT but problem between chair and keyboard
Index(es):
- Date
- Thread