any BSD PF "experts" here?

Darrin Chandler dwchandler at stilyagin.com
Mon Mar 6 09:00:07 MST 2006


At a quick glance I see two choices.

Option 1) There's the oidentd package, which has NAT support.

Option 2) Your 192.168.16.4 box could be changed to a static mapping or 
binat.

Option X) Ask this on the PhxBUG list main at bsd.phoenix.az.us ;)

I'd like to look at this closer right now, but I'm rather busy at work 
today.

Technomage wrote:

>ok, I seem to be running into a small problem with my pf (openBSD) firewall.
>
>seems I cannot get the auth port (113) to forward (even though I have followed 
>the documentation and even had some help.
>
>below is the relevant sections of PF I am concerned with:
>#######################################################################
>### Macros: define common values, so they can be referenced and
>### changed easily.
>ext_if="le0"    # replace with actual external interface name i.e., dc0
>int_if="hme0"   # replace with actual internal interface name i.e., dc1
>
>### Network macros
>
>#hosts
>internal_net="192.168.16.1/24"
>skype_addr="192.168.16.4"
>bittorrent_4_addr="192.168.16.4"
>bittorrent_1_addr="192.168.16.17"
>mechwarrior_addr="192.168.16.17"
>identd_addr="192.168.16.4"
>sshd_addr="192.168.16.4"
>
>### System macros
>nat_proto="{ tcp, udp, icmp, igmp }"
>
>#######################################################################
>### Normalization: reassemble fragments and resolve or reduce traffic
>### ambiguities.
>scrub in all
>scrub out all
>
>#######################################################################
>### Translation: specify how addresses are to be mapped or redirected.
># nat: packets going out through $ext_if with source address $internal_net 
>will
># get translated as coming from the address of $ext_if, a state is created for
># such packets, and incoming packets will be redirected to the internal 
>address.nat on $ext_if inet proto $nat_proto \
>        from $internal_net to any -> ($ext_if)
>
># rdr: packets coming in on $ext_if with destination $external_addr:1234 will
># be redirected to 10.1.1.1:5678. A state is created for such packets, and
># outgoing packets will be translated as coming from the external address.
>
>rdr on $ext_if inet proto tcp from any to ($ext_if) port \
>        39046 -> $skype_addr port 39046
>rdr on $ext_if inet proto tcp from any to ($ext_if) port \
>        36881:36889 -> $bittorrent_4_addr port 36881:*
>rdr on $ext_if inet proto tcp from any to ($ext_if) port \
>        6881:6889 -> $bittorrent_1_addr port 6881:*
>rdr on $ext_if inet proto tcp from any to ($ext_if) port \
>        2300:2350 -> $mechwarrior_addr port 2300:*
>rdr on $ext_if inet proto udp from any to ($ext_if) port \
>        2300:2350 -> $mechwarrior_addr port 2300:*
>rdr on $ext_if inet proto tcp from any to ($ext_if) port \
>        113 -> $identd_addr port 113
>rdr on $ext_if inet proto tcp from any to ($ext_if) port \
>        2222 -> $sshd_addr port 22
>
>#######################################################################
>## Filtering: the implicit first two rules are
># pass all local traffic, and block everything else.
>pass quick on lo0 all
>block in all
>block out all
>
>###
>### [ext] pass in all allowed traffic
>
># DHCP assignments to Firewalled Host
>pass in on $ext_if inet proto tcp \
>        from any to $ext_if port { 68 }
>
># Skype to VoIP Host
>pass in on $ext_if inet proto tcp \
>        from any to $ext_if port { 39046 } keep state flags S/SA
>
># Bit Torrent space 4
>pass in on $ext_if inet proto tcp \
>        from any to $ext_if port { 36881, 36882, \
>        36883, 36884, 36885, 36886, 36887, 36888, \
>        36889 } keep state flags S/SA
>
># Bit Torrent space 1
>pass in on $ext_if inet proto tcp \
>        from any to $ext_if port { 6881, 6882, \
>        6883, 6884, 6885, 6886, 6887, 6888, \
>        6889 } keep state flags S/SA
>
>#mechwarrior ports
>pass in on $ext_if inet proto tcp \
>        from any to $ext_if port { 2300 2301 2302 \
>        2303 2304 2305 2306 2307 2308 2309 2310 2311 \
>        2312 2312 2313 2314 2315 2316 2317 2318 2319 \
>        2320 2321 2322 2323 2324 2325 2326 2327 2328 \
>        2329 2330 2331 2332 2333 2334 2335 2336 2337 \
>        2338 2339 2340 2341 2342 2343 2344 2345 2346 \
>        2347 2348 2349 2350 } keep state flags S/SA
>
>pass in on $ext_if inet proto udp \
>        from any to $ext_if port { 2300 2301 2302 \
>        2303 2304 2305 2306 2307 2308 2309 2310 2311 \
>        2312 2312 2313 2314 2315 2316 2317 2318 2319 \
>        2320 2321 2322 2323 2324 2325 2326 2327 2328 \
>        2329 2330 2331 2332 2333 2334 2335 2336 2337 \
>        2338 2339 2340 2341 2342 2343 2344 2345 2346 \
>        2347 2348 2349 2350 }
>
># Identd Auth (for irc)
>pass in on $ext_if inet proto tcp \
>        from any to $ext_if port { 113 } keep state flags S/SA
>
># sshd high port
>pass in on $ext_if inet proto tcp \
>        from any to $ext_if port { 2222 } keep state flags S/SA
>
>
>### [ext] pass out all previously nat'd protocols
>pass out on $ext_if inet proto $nat_proto \
>        all keep state
>
>###
>### [int] pass in/out all internal traffic to the outside/inside & keep state
>pass in on $int_if inet proto $nat_proto \
>        all keep state
>pass out on $int_if inet proto $nat_proto \
>        all keep state
>
>####################
>
>now, so far, all attempts to have this work (especially for ssh and auth) seem 
>to fail. the traffic gets to the port on the firewall and then goes no where 
>after that.
>
>HELP!
>
>---------------------------------------------------
>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>To subscribe, unsubscribe, or to change  you mail settings:
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>  
>


-- 
Darrin Chandler            |  Phoenix BSD Users Group
dwchandler at stilyagin.com   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |



More information about the PLUG-discuss mailing list