[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PF and passing traffic from RFC 1918 addresses in on external interface
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: PF and passing traffic from RFC 1918 addresses in on external interface
- From: Pedro la Peu <pedro_(_at_)_am-gen_(_dot_)_org>
- Date: Mon, 28 Jul 2003 17:51:11 +0100
- Cc: "Mark Hopkins" <mhopkins_(_at_)_headwaystaffing_(_dot_)_com>
- Reply-to: pedro_(_at_)_am-gen_(_dot_)_org
> Does pf drop traffic incoming on the external interface from RFC 1918
> address by default, even if the ruleset says to pass in all, pass out all?
> Excerpts from pf.conf:
> nat on fxp1 from 192.168.31.0/24 to any -> 220.127.116.11
> pass in all
> pass out all
Excerpts? Why? Are we to guess what else might be in there?
So you are trying to access nat'd hosts from outside the nat boundary. That
won't work if the excerpt of your pf.conf is accurate wrt translation rules.
When you disable pf it works because you also disable nat.
You need to selectively nat only traffic bound for destinations NOT on your
internal WAN. Otherwise a ping to 192.168.31.2 would arrive OK, but the
response would be subjected to translation and appear to come from the
gateway's external address. So, I guess something like:
no nat on fxp1 from 192.168.31.0/24 to <any internal subnets>
nat on fxp1 from 192.168.31.0/24 to any -> 18.104.22.168