OpenBSD Firewall (NLC)

der.hans PLUGd@LuftHans.com
Sat, 12 Feb 2000 12:29:58 -0700 (MST) 

On Fri, 11 Feb 2000, Pyne, Jeffrey wrote:

> A couple weeks ago, someone (Bob George?) posted a message about building an
> OpenBSD firewall.  I've begun my own project to build one and I've hit a bit
> of a snag.  I got the OS installed (I LOVE being able to install the *BSD's
> via ftp!!).  I got my interfaces configured.  I've got my routing set up.  I

I do debian installs that way :). Actually, I use http, but ftp is also
available. Updates are simple as long as you have a decent amount of
bandwidth. If not run it at night :).

> turned on IP forwarding, IP nat and IP filter.  I can get to The Outside
> World directly from the firewall.  I can get to the firewall from my LAN.  I
> just haven't figured out how to get to The Outside World from my LAN.  I set
> up /etc/ipnat.rules and /etc/ipf.rules per the OpenBSD.org instructions.  I
> have looked at the /usr/share/ipf/* examples.  I have read the ipf, ipnat
> and ipfstat man pages.  When I run ipnat -ls, it shows that my NAT rules are
> loaded correctly, but the statistics show that there are 0 matching entries
> in and 0 matching entries out (so it hasn't been doing any actual NATing).
> I've tried running tcpdump and I see my packets on the external interface
> when I'm trying to ssh out to another machine on the Internet, but a tcpdump
> on the remote machine shows nothing from my IP.  However, I can ssh directly
> from my firewall to the remote machine.  If anyone has gotten something like
> this to work and has any suggestions on what to check next, I'd love to hear
> them.  Since this has absolutely nothing at all to do with Linux, please

Actually, though we are Phoenix LINUX Users Group, I think that we don't
have problems with questions for other Open Source *NIX implementations or
maybe even occasional closed source *NIX implementations. That said, try
the ASULUG mailing list as one of our major contributors is a *BSD bigot
:). http://ASULUG.asu.edu/

I'm in favor of us knowing more about *BSD so we know why not to run it
:). Some day I'm going to actually install *BSD long enough to play with
it...

ciao,

der.hans
-- 
# +++++++++++=================================+++++++++++ #
#                  der.hans@LuftHans.com                  #
#             http://home.pages.de/~lufthans/             #
#          Science is magic explained. - der.hans         #
# ===========+++++++++++++++++++++++++++++++++=========== #