[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RESOLVED: PF and passing traffic from RFC 1918 addresses in on external interface
- To: <misc_(_at_)_openbsd_(_dot_)_org>
- Subject: RESOLVED: PF and passing traffic from RFC 1918 addresses in on external interface
- From: "Mark Hopkins" <mhopkins_(_at_)_headwaystaffing_(_dot_)_com>
- Date: Mon, 28 Jul 2003 13:20:13 -0400
- Cc: "Hugo Villeneuve" <harpagon_(_at_)_jwales_(_dot_)_EINTR_(_dot_)_net>, <pedro_(_at_)_am-gen_(_dot_)_org>
- Thread-index: AcNVKR6G4rVD/jA5TSGWWt/7NnqSMwAAanSw
- Thread-topic: PF and passing traffic from RFC 1918 addresses in on external interface
Thanks for your help, Pedro, Hugo, and Henning, that was the problem.
I'm a moron. I beat my head against the wall all weekend on that one. I should have figured that out. Oh well...
From: Pedro la Peu [mailto:pedro_(_at_)_am-gen_(_dot_)_org]
Sent: Monday, July 28, 2003 12:51 PM
Cc: Mark Hopkins
Subject: Re: PF and passing traffic from RFC 1918 addresses in on
> Does pf drop traffic incoming on the external interface from RFC 1918
> address by default, even if the ruleset says to pass in all, pass out all?
> Excerpts from pf.conf:
> nat on fxp1 from 192.168.31.0/24 to any -> 126.96.36.199
> pass in all
> pass out all
Excerpts? Why? Are we to guess what else might be in there?
So you are trying to access nat'd hosts from outside the nat boundary. That
won't work if the excerpt of your pf.conf is accurate wrt translation rules.
When you disable pf it works because you also disable nat.
You need to selectively nat only traffic bound for destinations NOT on your
internal WAN. Otherwise a ping to 192.168.31.2 would arrive OK, but the
response would be subjected to translation and appear to come from the
gateway's external address. So, I guess something like:
no nat on fxp1 from 192.168.31.0/24 to <any internal subnets>
nat on fxp1 from 192.168.31.0/24 to any -> 188.8.131.52