[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf - "nat pass"

To: misc@openbsd.org
Subject: Re: pf - "nat pass"
From: david l goodrich <dlg@dorkzilla.org>
Date: Fri, 13 Aug 2004 17:42:46 -0400
References: <20040812234419.41e71902.dlg@dorkzilla.org> <411C3DFD.9070809@myrealbox.com> <20040813070454.444f0481.dlg@dorkzilla.org> <dbef48f90408130719346e21c3@mail.gmail.com>

No, not exactly, because that still leaves $int_if wide open to the
internal network.  i only want to allow the random high ports required by
NAT.  I don't trust this particular internal network, so anything that
leaves the $int_if wide open is unacceptable.
  --david

On Fri, 13 Aug 2004 09:19:53 -0500
James Harless <james.harless@gmail.com> wrote:

> I think you're looking for something more like this:
> 
> int_if = "de0"
> ext_if = "xl0"
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> block all
> pass quick on lo0 all
> pass in quick from $int_if:network to any keep state
> pass out quick from $ext_if to any keep state
> 
> 
> That last rule is just there to permit outbound traffic from the
> Firewall itself.  If its traffic from the int_if then state should
> already be established from the int_if.  At least, that is my
> understanding of 'state-policy floating' which is the default.
> 
> I personally don't use pass rules on NAT.  I like to keep everything
> separated so that i can clearly tell which rule allows the traffic I'm
> troubleshooting.  So, it is better for me to keep all pass rules for
> an interface together.
> 
> James
> 
> 
> On Fri, 13 Aug 2004 07:04:54 -0400, david l goodrich <dlg@dorkzilla.org>
> wrote:
> > On Thu, 12 Aug 2004 22:05:17 -0600
> > 
> > 
> > j knight <enabled@myrealbox.com> wrote:
> > 
> > > david l goodrich wrote:
> > >
> > > > i figured this is what would happen:  1. clients on both the inside
> > > > and the outside would see no ports open, 2. traffic from the gateway
> > > > machine would go out (i.e. i could ssh out from the gateway box),
> > > > and 3. nat traffic would be passed from the internal net,
> > > > translated, and out to the internet (and back again, of course.)
> > > >
> > > > the first two things happen.  the third, which is kinda important,
> > > > doesn't.
> > >
> > > "nat pass" only passes traffic on $ext_if. You must explicitly pass
> > > traffic in on $int_if.
> > 
> > hmm.  Okay.  i give :]
> > 
> > anybody know what "random high ports" nat uses for the connections it
> > translates?
> >   --david
> > 
> > >
> > >
> > >
> > >
> > > .joel
> > 
> > 
> > 
> > [demime 0.98d removed an attachment of type application/pgp-signature]

[demime 0.98d removed an attachment of type application/pgp-signature]

Follow-Ups:
- Re: pf - "nat pass"
  - From: Jason Opperisano <opie@817west.com>

References:
- pf - "nat pass"
  - From: david l goodrich <dlg@dorkzilla.org>
- Re: pf - "nat pass"
  - From: j knight <enabled@myrealbox.com>
- Re: pf - "nat pass"
  - From: david l goodrich <dlg@dorkzilla.org>
- Re: pf - "nat pass"
  - From: James Harless <james.harless@gmail.com>

Prev by Date: 건강지킴이 홍삼외 3종 무료 선착순증정@
Next by Date: Re: long raidctl initialization times
Prev by thread: Re: pf - "nat pass"
Next by thread: Re: pf - "nat pass"
Index(es):
- Date
- Thread