[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Routing to servers via NAT box

To: "Rod... Whitworth" <listener@witworx.com>,Miscellaneous OBSD <misc@openbsd.org>
Subject: Re: Routing to servers via NAT box
From: Chuck Yerkes <chuck+obsd@snew.com>
Date: Tue, 3 Sep 2002 11:54:41 -0700
Content-Disposition: inline
References: <200209031403.1234559.6@mail.witworx.com> <20020903004934.A25179@jwales.EINTR.net>
User-Agent: Mutt/1.2.5i

Quoting Hugo Villeneuve (harpagon@jwales.EINTR.net):
> On Tue, Sep 03, 2002 at 02:03:10PM +1000, Rod... Whitworth wrote:
> > I have a box (old P166) running the July 1 snapshot. It has been
> > running doing NAT for a small LAN to an ADSL connection. Works fine.
> > 
> > Only line in pf.conf at present is:
> > nat on fxp0 from 192.168.1.0/24 to any -> fxp0
> > 
> > fxp0 is connection to ADSL
> > fxp1 is the LAN (192.168.1.0/24 bound address is .254)
> > 
> > Now for the problem:
> > fxp2 is the NIC for the servers. It is configured as 203.x.y.209 for a
> > routed subnet 203.x.y.208/29)
> > 
> > >From the box I can ping .209 (of course!) and a test server at .211
> > >From across the internet I cannot ping either of those.
> > 
> > Running tcpdump on fxp0 shows that something is getting to the box:
> > 18:51:35.145380 arp who-has 203.x.y.211 tell 10.0.0.138
> > (10.0.0.138 is the ADSL modem)
> 
> If you want to use OpenBSD to firewall your machines, you'll need
> to go with an bridge setup. But then, you would have to move 192.../24
> on another PC.

No, you don't need a bridge.

I allow certain ports through my (3 legged) firewall.  A chunk
of pf.conf is below:

----------------------------------------------------------------------
if_inet=sis1
if_in=sis0
InsideIP=" 220.00.00.0/24"
scrub in all
nat on $if_inet from 220.00.00.0/24 to any -> $PUBLIC_ADDR
rdr on $if_inet proto tcp from any to any port 8001 -> 220.00.00.21 port 80
rdr on $if_inet proto tcp from any to any port 8002 -> 220.00.00.25 port 80
rdr on $if_inet proto tcp from any to any port 8003 -> 220.00.00.31 port 80
----------------------------------------------------------------------

If packets go OUT ($in_inet), they get natted to the public address.
Packets coming IN on port 8001 get send to ... 21 on port 80.  8002 -> '25/80.
Etc.

If you are ROUTING, then your ADSL "router" need to know to send
packets for 203.x.y.208/29 to your OpenBSD box.

I've never used bridging for this, I wouldn't want to unless I
had real routed IP's on the subnet (which is the Right Answer).

To me, bridges are best used in a situation where you have
some machines on a non-subnetted network that you want to protect.
So that SGI on the same network as secure machines might be
protected by a bridging machine.

Worst case, be a bridge.  But smack your ISP anyhow.

Follow-Ups:
- Re: Routing to servers via NAT box
  - From: Hugo Villeneuve <harpagon@jwales.EINTR.net>

References:
- Routing to servers via NAT box
  - From: "Rod... Whitworth" <listener@witworx.com>
- Re: Routing to servers via NAT box
  - From: Hugo Villeneuve <harpagon@jwales.EINTR.net>

Prev by Date: Re: Cracked boxes - schg and sappnd usage?
Next by Date: Re: Cracked boxes - schg and sappnd usage?
Prev by thread: Re: Routing to servers via NAT box
Next by thread: Re: Routing to servers via NAT box
Index(es):
- Date
- Thread