[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No net access from nat box



I've got a OpenBSD 3.2 stable box running serving as my nat box for
home. For the nat'ed boxen everything is peachy as far as internet
access goes. 
However, accessing the internet FROM the openbsd nat box itself doesn't
seem to work in most cases. For instance I can use cvsup (although it
does take a loooong time) but I can't ping anything outside the local
lan (it's not dns), I can't traceroute, can't surf with lynx...nothing.
I don't understand why cvsup would work but nothing else seems to. 
Example I can cvsup to the cvsup server rt.fm but I can't ping it. I
can't view www.openbsd.org or any sites by name or IP and. I'm okay but
with not being able to surf from the nat box but I can't retrieve/build
ports either and that's my only real issue. I've seen this before a long
time but I don't recall the solution. 
Where should I go first?

My pf.conf:

# OpenBSD /etc/pf.conf
# Packet Filtering ruleset
# Standard non-bridge configuration
# Last update 12/14/02
#
# Sections must appear in this order
# Scrub, NAT & rdr, filter rules
#
# Define our variables
ext_if="fxp0"		# External interface
int_if="fxp1"		# Internal interface
int_net="192.168.1.0/24"	# Our internal network
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
Services="{ ssh }"

# Clean up fragmented and abnormal packets
scrub in all fragment reassemble

# NAT section
nat on $ext_if from 192.168.1.0/24 to any -> $ext_if
rdr on $ext_if proto tcp from any to $ext_if port 22 -> 192.168.1.6 port
22
rdr on $ext_if proto tcp from any to $ext_if port 113 -> 192.168.1.6
port 113

# Don't allow anyone to spoof non-routable addresses
block in quick on $ext_if inet from $NoRouteIPs to any
block out quick on $ext_if inet from any to $NoRouteIPs

# Default Deny Policy
block in log on $ext_if all
pass out quick on $ext_if all

# Allow ssh connections from company network and block/log anyone else
pass in log quick on $ext_if inet proto tcp from x.x.x.0/24 to any port
22 flags S/SA keep state
pass in log quick on $ext_if inet proto tcp from x.x.x.0/24 to any port
22 flags S/SA keep state
block in log quick on $ext_if inet proto tcp from any to any port
$Services

# Allow auth requests for IRC networks
pass in quick on $ext_if inet proto tcp from any to any port 113

# Allow pings in (mostly for ISP's dhcp server benefit)
# From http://ezine.daemonnews.org/200207/transpfobsd.html
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

# Block packets with FIN,URG & PSH flags set (nmap attempts)
block in log quick on $ext_if inet proto tcp from any to any flags
FUP/FUP

# Pass outgoing traffic out and maintain state on established
connections
block out on $ext_if all
pass out on $ext_if inet proto tcp all flags S/SA modulate state
pass out on $ext_if inet proto udp all keep state
pass out on $ext_if inet proto icmp all keep state

# Traffic from OpenBSD cvsup servers
pass in on $ext_if inet proto tcp from 209.242.32.10 to any
pass in on $ext_if inet proto tcp from 128.46.156.46 to any
pass in on $ext_if inet proto tcp from 128.102.197.15 to any



-- 
+---------------------------------------------------------------------+
|Steve Wingate		<s_(_dot_)_wingate_(_at_)_cox_(_dot_)_net>			       
|MCSE, CCNA		Sat Jan 11 22:00:00 PST 2003  
+---------------------------------------------------------------------+
|FreeBSD 4.7-STABLE						   
|10:00PM  up 12 days,  6:24, 0 users, load averages: 0.00, 0.00, 0.00  
+---------------------------------------------------------------------+