[TriLUG] Re: NAT with OpenBSD on sparcstation 5

Cristobal Palmer cristobalpalmer at gmail.com
Sun Sep 3 17:55:52 EDT 2006


I should've responded to the list sooner. I actually got past the pf
problem and ran up against a dnsmasq limitation.

Chris was on the money with the 'pfctl -s' advice. I saw the error
right away once I did 'pfctl -s all'. The line that ended up working
was this:

   nat pass on $ext_if inet from !($ext_if) to any -> ($ext_if:0)

The problem now is that dnsmasq demands that only one interface be defined:

   dnsmasq: must set exactly one interface on broken systems without IP_RECVIF

Looks like they might have that in the near future:

http://archives.neohapsis.com/archives/openbsd/cvs/2006-05/1394.html

Thanks to those who responded,
CMP

On 9/3/06, Chris Bullock <cgbullock at yahoo.com> wrote:
> First off what does not work?  Are you sure that you sparc can access your main router, ie do you know for sure that the $ext_if of the sparc is functional, can you ping the main router from the sparcstation?  To see if nat is the true problem I would drop the pf rules with routing still enabled and see if your laptop could access anything beyond the sparcstation, or at least try to ping the ext_if of the sparc.  Also have you ran pfctl -sn to see if the nat rules are being implented as you desire them to be.  If everything seem ok, try running tcpdump -nettti le0 to see if you are getting any traffic from anywhere.
>   Good luck,
>   Chris
>   Date: Fri, 1 Sep 2006 14:11:29 -0400
> From: "Cristobal Palmer" <cristobalpalmer at gmail.com>
> Subject: [TriLUG] NAT with OpenBSD on sparcstation 5
> To: "Triangle Linux Users Group discussion list" <trilug at trilug.org>
> Message-ID:
>  <39e2ba090609011111v5fcf054dj8945e599dadd2562 at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> I've already spoken with several people on the list about this
> problem, but I'm still stuck, so I thought I'd cast a wider net.
>
> I've got a sparcstation 5 on which I've installed OpenBSD 3.9. I've
> got another openbsd box that handles NAT fine, but the sparc isn't
> happy. The situation looks like this:
>
> laptop --> sparcstation --> main router (openbsd) --> entireweb
>
> There are four other machines plugged into the main router besides the
> sparc, all of which have a happy NATing experience. The laptop behind
> the sparc is sadly not so lucky.
>
> Here's the (very basic) pf.conf for the sparc:
>
> ---------pf.conf begins here---------
> #       $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or
> net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ext_if="le0"
> all_int="hme0 hme1 hme2 hme3"
>
> tcp_services="{ 22, 113 }"  # per instructions on
> http://www.openbsd.org/faq/pf/example1.html
> icmp_types="echoreq"
>
> set block-policy return # what should we do with packets destined for
> blocked ports?
> set loginterface $ext_if
>
> #table <spamd> persist
> #table <spamd-white> persist
>
> set skip on lo
>
> scrub in
>
> #nat-anchor "ftp-proxy/*"
> #rdr-anchor "ftp-proxy/*"
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> #rdr pass on $ext_if proto tcp from <spamd> to port smtp \
> #       -> 127.0.0.1 port spamd
> #rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
> #       -> 127.0.0.1 port spamd
>
> block in
> pass out keep state
>
> #anchor "ftp-proxy/*"
>
> pass quick on $all_int
> antispoof quick for { lo $all_int }
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
>   port $tcp_services flags S/SA keep state
> #pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
> #pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state
>
> ---------pf.conf ends here---------
>
> Other notes:
>
> * I've got dnsmasq as my dhcp server (the laptop does successfully get
> an address).
> * I've got something very close to this on the main router. Some similar
> lines:
>
> ---------some pf.conf lines from main router begin here---------
>
> set block-policy return # what should we do with packets destined for
> blocked ports?
> set loginterface $ext_if
>
> set skip on { lo $int_if }
> scrub in
>
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> block in
> pass out keep state
>
> antispoof quick for { lo $int_if }
>
> ---------some pf.conf lines from main router end here---------
>
> TIA for any and all help.
>
> --
> Cristobal M. Palmer
> UNC-CH SILS Student
> TriLUG Vice Chair
> cristobalpalmer at gmail.com
> cmpalmer at ils.unc.edu
> ils.unc.edu/~cmpalmer
> "Television-free since 2003"
>
> <tarheelcoxn> iank has trouble with English. his native language is Python
> <iank> Yeah
> <iank>   I'm forced
> <iank>     To indent
> <iank>   My sentences
>
>
>
>
> ---------------------------------
> Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>


-- 
Cristobal M. Palmer
UNC-CH SILS Student
TriLUG Vice Chair
cristobalpalmer at gmail.com
cmpalmer at ils.unc.edu
ils.unc.edu/~cmpalmer
"Television-free since 2003"

<tarheelcoxn> iank has trouble with English. his native language is Python
<iank> Yeah
<iank>   I'm forced
<iank>     To indent
<iank>   My sentences


More information about the TriLUG mailing list