[TriLUG] NAT with OpenBSD on sparcstation 5

Cristobal Palmer cristobalpalmer at gmail.com
Fri Sep 1 14:11:29 EDT 2006 

I've already spoken with several people on the list about this
problem, but I'm still stuck, so I thought I'd cast a wider net.

I've got a sparcstation 5 on which I've installed OpenBSD 3.9. I've
got another openbsd box that handles NAT fine, but the sparc isn't
happy. The situation looks like this:

laptop --> sparcstation --> main router (openbsd) --> entireweb

There are four other machines plugged into the main router besides the
sparc, all of which have a happy NATing experience. The laptop behind
the sparc is sadly not so lucky.

Here's the (very basic) pf.conf for the sparc:

---------pf.conf begins here---------
#       $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="le0"
all_int="hme0 hme1 hme2 hme3"

tcp_services="{ 22, 113 }"  # per instructions on
http://www.openbsd.org/faq/pf/example1.html
icmp_types="echoreq"

set block-policy return # what should we do with packets destined for
blocked ports?
set loginterface $ext_if

#table <spamd> persist
#table <spamd-white> persist

set skip on lo

scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
#       -> 127.0.0.1 port spamd
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
#       -> 127.0.0.1 port spamd

block in
pass out keep state

#anchor "ftp-proxy/*"

pass quick on $all_int
antispoof quick for { lo $all_int }

pass in on $ext_if inet proto tcp from any to ($ext_if) \
  port $tcp_services flags S/SA keep state
#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
#pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state

---------pf.conf ends here---------

Other notes:

* I've got dnsmasq as my dhcp server (the laptop does successfully get
an address).
* I've got something very close to this on the main router. Some similar lines:

---------some pf.conf lines from main router begin here---------

set block-policy return # what should we do with packets destined for
blocked ports?
set loginterface $ext_if

set skip on { lo $int_if }
scrub in

nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass out keep state

antispoof quick for { lo $int_if }

---------some pf.conf lines from main router end here---------

TIA for any and all help.

-- 
Cristobal M. Palmer
UNC-CH SILS Student
TriLUG Vice Chair
cristobalpalmer at gmail.com
cmpalmer at ils.unc.edu
ils.unc.edu/~cmpalmer
"Television-free since 2003"

<tarheelcoxn> iank has trouble with English. his native language is Python
<iank> Yeah
<iank>   I'm forced
<iank>     To indent
<iank>   My sentences

More information about the TriLUG mailing list