Re: [Fwbuilder-discussion] pf - nat failed -> next try :(

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Aug 26, 2008, at 3:33 AM, Koenig, Thomas wrote:

> Hello,
>
> Sorry - but I'm back again.
> Whatever I do - I dont get NAT running on my OpenBSD System.
>
>>>> Interface objects of the firewall are marked as "unnumbered".
>>>> This may cause all sorts of problems, I suggest you configure
>>>> interface objects with correct ip addresses. Sometimes
>> compiler needs
>>>> to associate certain rules with interfaces, it does that
>> by comparing
>>>> addresses used in rules with addresses of interfaces.
>
> I give every interface it's own address - to prevent the
> "unnumbered" problems.
>
> I simplified the whole thing e.g. remove most of the prolog lines
> and "simplified" the NAT rule so the only thing I want is: nat
> all traffic from one specified workstation (10.100.102.67) in the
> internal network to the external network and set the translated
> source to the carp1 interface IP (192.168.129.1).
>
> I attach the generated fw.conf and the fw.fwb file and the
> "pfctl -s all" output, where you cann see the connection between
> 10.100.102.67 and 192.168.129.99 is affected by nat.
>
> all tcp 10.100.102.67:45762 -> 192.168.129.99:22   
> FIN_WAIT_2:FIN_WAIT_2
>

FIN_WAIT_2 is final state of tcp session, it looks like the session  
has been established and then closed.

In one of your previous emails you said:

> What I want: All traffic from 10.100.105.1 to 192.168.129.99, should
> be "nated", to 192.168.129.1. So 192.168.129.99 see the traffic is
> coming from 192.168.129.1.

internal interface of the firewall has netmask 255.255.0.0, this  
explains all this variety of internal addresses (10.100.102.x,  
10.100.105.x, 10.100.199.x)

I am asumming internal machines are also configured with netmask of  
the same length.

Your rules look ok to me. I have no experience with CARP so I can not  
comment on that. Also, you never explained what actually happens, what  
have you tried and what works and what does not.

--vk

> The testsystem looks like:
>
> External LAN 192.168.129.0/24
>  ^
>  |
>  |   Master Firewall
> ------------------------------------
> |Real external fxp1:  192.168.129.2   |
> |CARP external carp1: 192.168.129.1   |fxp2 192.169.127.2
> |                                     |------------------>
> |CARP internal carp0: 10.100.199.1    |
> |Real internal: fxp0: 10.100.199.2    |
> -------------------------------------
>  |
>  |
> Internal LAN 10.100.0.0/16
>
>
>
> Hopefully somone found my mistake.
>
> regards,
> Thomas
>
>
> < 
> pfctl_out 
> .txt 
> > 
> < 
> fw 
> .conf 
> > 
> < 
> fw 
> .fwb 
> > 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
> Fwbuilder-discussion mailing list
> Fwb...@li...
> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion