|
1st November 2011
|
|||
|
|||
Help with PF NAT configuration
Hello all, I am replacing a Cisco ASA with an OpenBSD PF NAT box for a couple of reasons: I'm tired of paying Cisco money just to receive updates, tired of the license limits and the device is about six years old.
So I have an atom server with three interfaces one for public/dmz/internal. The current config with the ASA is the following: external (fxp1) --->Firewall ---> DMZ (192.168.100.0/24) (fxp0) --->Inetrnal (192.168.200.0/24) (re0). I don't really want to re-IP the nodes in the DMZ so if possible I'd like to keep everything the same. I've purchased the book of PF version 2 but still need some assistance. Here is my pf.conf: Code:
#MACROS
_int="re0"
lan="re0:network"
_dmz="fxp0"
dmz="192.168.100.0/24"
mailserver="192.168.100.2"
ftpwebserver="192.168.100.1"
RFC1918="{ 10/8 172.16/12 192.168/16 }"
#TABLES
#OPTIONS
set skip on lo
set block-policy drop
#NORMALIZE TRAFFIC
match in all scrub ( no-df max-mss 1440 )
#NAT
match out on egress from $lan to any nat-to egress
match out on egress from $dmz to any nat-to egress
#REDIRECTIONS
match in on egress inet proto tcp from any to any port 25 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 110 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 587 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 465 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 25 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 995 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 443 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 110 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 80 \
rdr-to $ftpwebserver
#BLOCK POLICY
block log all
#PROTECTION
antispoof for { lo0 re0 fxp0 fxp1 }
block in on egress from $RFC1918 to any
block out on egress from any to $RFC1918
#AUTHORIZE PINGS
pass inet proto icmp all icmp-type { echoreq, unreach }
#FORWARDING OUT
pass out on egress inet proto tcp from any to any
pass out on egress inet proto udp from any to any
#LAN SERVICES
anchor "ftp-proxy/*"
pass in on $_int proto tcp from any to any port ftp \
rdr-to 127.0.0.1 port 8021
#AUTHORIZED SERVICES
pass in on $_int proto tcp from $lan to any port \
{ 80 22 3000 4567 443 53 69 }
pass in quick on $_int proto udp from $lan to any port { domain 69 }
#CONSOLE ACCESS
#pass in on egress proto tcp from any to egress port 22
#DMZ SERVICES
pass in on egress proto tcp from any to $mailserver port \
{ 25 110 443 587 465 995 }
pass out on $_dmz proto tcp from any to $mailserver port \
{ 25 110 443 587 465 995 }
pass in on $_dmz proto tcp from $mailserver to any port \
{ 25 110 587 465 995 }
#ACCESS WEB SERVICES
pass in on egress inet proto tcp from any to $ftpwebserver port 80
pass out on $_int inet proto tcp from any to $ftpwebserver port 80
basically I want the internal network to be able to access the DMZ but obviously not the other way around. I'm having some issues with that part. Last edited by ocicat; 1st November 2011 at 04:05 PM. Reason: Please use [code] & [/code] tags when posting command output. 
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| router configuration !! | wlm2 | OpenBSD General | 1 | 11th July 2011 01:51 PM |
| PF NAT configuration help | ikevinjpdev | OpenBSD Security | 0 | 7th August 2010 04:41 PM |
| PF Configuration for newbie | slakic | OpenBSD Security | 1 | 20th August 2009 02:35 PM |
| ssh and PuTTY Configuration | rtwingfield | FreeBSD Security | 4 | 8th June 2009 09:55 PM |
| k3b, configuration. | maxrussell | FreeBSD Ports and Packages | 4 | 3rd March 2009 03:23 AM |
Threaded Mode