OpenBSD Firewall (NLC)

Pyne, Jeffrey Jeffrey.Pyne@schwab.com
Mon, 14 Feb 2000 13:25:58 -0700 

So, as I explained to Rick Gardner, with whom I had a short e-mail exchange
on Friday, the lesson I learned was never to try to admin a firewall with a
head full of phlegm.  When I got home from work and opened up my
/etc/nat.rules file, I noticed right away that I had fat-fingered the
interface name.  I had typed "en0" instead of "ne0".  I corrected the typo,
and "BAM!!" it started working.  So far, I like what I see (although I'm not
100% sure what I'm looking at).  Dangerous D. was 100% correct-- following
the instructions on the OpenBSD site works perfectly (provided, of course,
that you don't experience any PEBCAKs).

> ----------
> From: 	D. Taylor[SMTP:dtaylor@www.dssolutions.com]
> Reply To: 	plug-discuss@lists.PLUG.phoenix.az.us
> Sent: 	Saturday, February 12, 2000 3:28 PM
> To: 	'plug-discuss@lists.PLUG.phoenix.az.us'
> Subject: 	Re: OpenBSD Firewall (NLC)
> 
> 
> FWIW, I've set up two OpenBSD boxes as firewalls/NAT,
> one doing PPP dialup, and another for a cable modem
> (two Ethernet NICs in the OpenBSD box).  I followed
> the instructions on OpenBSD's web site, and everything
> worked perfectly.  The only slightly confusing part
> on the cable modem scenario was that you have to
> specify that the NAT is to be done on the "public"
> or "outbound" interface.
> 
> 
> D
> 
> On Fri, 11 Feb 2000, Pyne, Jeffrey wrote:
> 
> > Date: Fri, 11 Feb 2000 08:39:53 -0700
> > From: "Pyne, Jeffrey" <Jeffrey.Pyne@schwab.com>
> > Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
> > To: "'plug-discuss@lists.PLUG.phoenix.az.us'"
>      <plug-discuss@lists.PLUG.phoenix.az.us>
> > Subject: OpenBSD Firewall (NLC)
> > 
> > A couple weeks ago, someone (Bob George?) posted a message about
> building an
> > OpenBSD firewall.  I've begun my own project to build one and I've hit a
> bit
> > of a snag.  I got the OS installed (I LOVE being able to install the
> *BSD's
> > via ftp!!).  I got my interfaces configured.  I've got my routing set
> up.  I
> > turned on IP forwarding, IP nat and IP filter.  I can get to The Outside
> > World directly from the firewall.  I can get to the firewall from my
> LAN.  I
> > just haven't figured out how to get to The Outside World from my LAN.  I
> set
> > up /etc/ipnat.rules and /etc/ipf.rules per the OpenBSD.org instructions.
> I
> > have looked at the /usr/share/ipf/* examples.  I have read the ipf,
> ipnat
> > and ipfstat man pages.  When I run ipnat -ls, it shows that my NAT rules
> are
> > loaded correctly, but the statistics show that there are 0 matching
> entries
> > in and 0 matching entries out (so it hasn't been doing any actual
> NATing).
> > I've tried running tcpdump and I see my packets on the external
> interface
> > when I'm trying to ssh out to another machine on the Internet, but a
> tcpdump
> > on the remote machine shows nothing from my IP.  However, I can ssh
> directly
> > from my firewall to the remote machine.  If anyone has gotten something
> like
> > this to work and has any suggestions on what to check next, I'd love to
> hear
> > them.  Since this has absolutely nothing at all to do with Linux, please
> > e-mail me off-list (at jtpyne@home.com) with any tips.
> > 
> > Thanks.
> > Jeff
> > 
> > _______________________________________________
> > Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > 
> 
> 
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>