FWIW, I've set up two OpenBSD boxes as firewalls/NAT,
one doing PPP dialup, and another for a cable modem
(two Ethernet NICs in the OpenBSD box). I followed
the instructions on OpenBSD's web site, and everything
worked perfectly. The only slightly confusing part
on the cable modem scenario was that you have to
specify that the NAT is to be done on the "public"
or "outbound" interface.
D
On Fri, 11 Feb 2000, Pyne, Jeffrey wrote:
> Date: Fri, 11 Feb 2000 08:39:53 -0700
> From: "Pyne, Jeffrey" <Jeffrey.Pyne@schwab.com>
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
> To: "'plug-discuss@lists.PLUG.phoenix.az.us'"
<plug-discuss@lists.PLUG.phoenix.az.us>
> Subject: OpenBSD Firewall (NLC)
>
> A couple weeks ago, someone (Bob George?) posted a message about building an
> OpenBSD firewall. I've begun my own project to build one and I've hit a bit
> of a snag. I got the OS installed (I LOVE being able to install the *BSD's
> via ftp!!). I got my interfaces configured. I've got my routing set up. I
> turned on IP forwarding, IP nat and IP filter. I can get to The Outside
> World directly from the firewall. I can get to the firewall from my LAN. I
> just haven't figured out how to get to The Outside World from my LAN. I set
> up /etc/ipnat.rules and /etc/ipf.rules per the OpenBSD.org instructions. I
> have looked at the /usr/share/ipf/* examples. I have read the ipf, ipnat
> and ipfstat man pages. When I run ipnat -ls, it shows that my NAT rules are
> loaded correctly, but the statistics show that there are 0 matching entries
> in and 0 matching entries out (so it hasn't been doing any actual NATing).
> I've tried running tcpdump and I see my packets on the external interface
> when I'm trying to ssh out to another machine on the Internet, but a tcpdump
> on the remote machine shows nothing from my IP. However, I can ssh directly
> from my firewall to the remote machine. If anyone has gotten something like
> this to work and has any suggestions on what to check next, I'd love to hear
> them. Since this has absolutely nothing at all to do with Linux, please
> e-mail me off-list (at jtpyne@home.com) with any tips.
>
> Thanks.
> Jeff
>
> _______________________________________________
> Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>