[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RESOLVED: PF and passing traffic from RFC 1918 addresses in on external interface



Thanks for your help, Pedro, Hugo, and Henning, that was the problem. 

I'm a moron.  I beat my head against the wall all weekend on that one.  I should have figured that out. Oh well...

Thanks again!

-Mark

-----Original Message-----
From: Pedro la Peu [mailto:pedro_(_at_)_am-gen_(_dot_)_org]
Sent: Monday, July 28, 2003 12:51 PM
To: misc_(_at_)_openbsd_(_dot_)_org
Cc: Mark Hopkins
Subject: Re: PF and passing traffic from RFC 1918 addresses in on
external interface



> Does pf drop traffic incoming on the external interface from RFC 1918
> address by default, even if the ruleset says to pass in all, pass out all?

No.

> Excerpts from pf.conf:
> nat on fxp1 from 192.168.31.0/24 to any -> 61.204.158.210
> pass in all
> pass out all

Excerpts? Why? Are we to guess what else might be in there?
Anyway...

So you are trying to access nat'd hosts from outside the nat boundary. That 
won't work if the excerpt of your pf.conf is accurate wrt translation rules. 
When you disable pf it works because you also disable nat.

You need to selectively nat only traffic bound for destinations NOT on your 
internal WAN. Otherwise a ping to 192.168.31.2 would arrive OK, but the 
response would be subjected to translation and appear to come from the 
gateway's external address. So, I guess something like:

no nat on fxp1 from 192.168.31.0/24 to <any internal subnets>
nat on fxp1 from 192.168.31.0/24 to any -> 61.204.158.210

-p



Visit your host, monkey.org