[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OBSD 3.1 binat issue

To: "Scott Sandeman-Allen (RSCorp)" <scott@rscorp.ab.ca>
Subject: Re: OBSD 3.1 binat issue
From: Dries Schellekens <gwyllion@ace.ulyssis.org>
Date: Wed, 12 Jun 2002 18:42:06 +0200 (CEST)
Cc: <misc@openbsd.org>

On Wed, 12 Jun 2002, Scott Sandeman-Allen (RSCorp) wrote:

> In response to gwyllion@ace.ulyssis.org
>
> |> If I completely flush my rules i.e. "pfctl -F rules", I still don't
> |> get any packets going through.
>
> |You should test your binat rules, without a pf.conf.
> |If this works, your pf.conf is wrong.
>
> Was done _before_ my first message to the list.
>
> I am mirroring an _existing_, well functioning firewall. The _only_ change I
> have made from the running machine to the new machine is the NIC configs. I
> switched from Realtech 8139's (rl*) to Intel (fxp). Everything else is identical
> to the functioning machine.
>
> To recap the steps I took:
>
> Install 3.1
> Configure hostnames.fxp* for 3 NICs and related static IPs
> /etc/rc.conf - enable pf, disable sendmail, ntp and portmap
> /etc/sysctl.conf - enable ipv4 packet forwarding
> copy pf.conf and nat.conf from working system
> edit NICs in *.conf replacing rl* with fxp*
>      (easier because of how I wrote the rules)
> reboot & connect network from existing firewall to new firewall making sure to
> attach correct network with apropriate NIC.
> wait for all networks to activate etc.
> test connectivity with ping etc.
> failures
> verify edit process, make sure there are no typos in
>     hostname.fxp0, .fxp1, .fxp2
>     mygate
>     hosts
>     relsolv.conf
>     pf.conf
>     nat.conf
> test again
> failures
> disable pf.conf
> failures
> re-enable pf.conf
> modify nat.conf to use nat for DMZ interface
> route functions (though inapropriately for intended function)
> re-enable binat and verify with documentation
> run a bunch more fruitless tests over a few days
> test again
> failure
> completely re-build 3.1 system _from scratch_
> run similar tests
> failure
> document configuration
> email list
>
> Obviously others are using binat under 3.1 right?

Yes, it works. Let's try again. Does the binat work without firewall
rules? Binat changes address, so your firewall rules will be different.

You have
binat on $EXT_IF from $MAIL_SERVER to any -> $EXT_IP1
binat on $EXT_IF from $WWW_SERVER  to any -> $EXT_IP2
So you should filter on $MAIL_SERVER and $WWW_SERVER not on $EXT_IP1 and
$EXT_IP2.


Dries
-- 
Dries Schellekens
email: gwyllion@ulyssis.org

References:
- Re: OBSD 3.1 binat issue
  - From: "Scott Sandeman-Allen (RSCorp)" <scott@rscorp.ab.ca>

Prev by Date: Re: OBSD 3.1 binat issue
Next by Date: Re: OBSD 3.1 binat issue
Prev by thread: Re: OBSD 3.1 binat issue
Next by thread: Re: OBSD 3.1 binat issue
Index(es):
- Date
- Thread