Date: Fri, 24 Oct 2008 11:00:21 +0200 From: Peter Wullinger <peter.wullinger@googlemail.com> To: freebsd-pf@freebsd.org Subject: Re: Pf-Beginner help with using Binat & Nat with several machines Message-ID: <49018EA5.7040607@googlemail.com> In-Reply-To: <7259d7020810231009s6e719143r1239d265a41f48cc@mail.gmail.com> References: <7259d7020810231009s6e719143r1239d265a41f48cc@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
JC Janos schrieb: > Hello, > > To do this, I think I need both nat & binat, and from what I > understand, I should add the following to my "pf.conf" file -- The idea between nat/binat is the following: NAT maps packets going matching an address specification to a different /source/ address. In short, this means, that a rule like nat from $src to $dst -> $mapped_address Causes all packets that originate from $src and going to $dst have the source address rewritten to $mapped_address. If you have stateful filtering enabled (as sure you do), the translation is applied in the reverse order for packets that match a recorded state. In this case, it is also possible to map multiple hosts to the same external IP address, as incoming traffic is only translated when it matches a state table entry. PF also comes with some additional "obfuscation" possibilities for added security. See the OpenBSD PF FAQ for another and more elaborate explanation: http://www.openbsd.org/faq/pf/nat.html#works BINAT --on the other hand-- establishes a 1:1 between two IP addresses. A rule like binat from $src to $dst -> $ext Causes the source address in all packets from $src in the direction of $dst to be replaced by $ext AND vice versa. Basically, BINAT says "Everything that originates from $dst should be faked as if to originate from $ext AND everything that comes in for $ext from $dst shall be rewritten and forwarded to $src". All of the above is of course to be considered without regard to any employed packet filtering. Again, see the OpenBSD PF FAQ for more details: http://www.openbsd.org/faq/pf/nat.html#binat [snip] > binat on $wanIF from $server_1 to any -> $wanIP_2 > binat on $wanIF from $server_2 to any -> $wanIP_2 > binat on $wanIF from $server_3 to any -> $wanIP_2 Is this really correct, all with the same $wanIP_2? If this was intended, it probably does not work. Where should incoming traffic for $wanIP_2 be forwarded to? Maybe you wanted: binat on $wanIF from $server_1 to any -> $wanIP_1 binat on $wanIF from $server_2 to any -> $wanIP_2 binat on $wanIF from $server_3 to any -> $wanIP_3 Put somewhat sloppily, these rules expose the $server_? to the internet with $wanIP_?, where the firewall does the automatic translation (again minus additional filtering) > My head's spinning from reading up on this. I've managed to get more > confused from all the examples, and I'm just not sure how to go about > this. The road ahead depends on what you intend to do. Do you want to expose the internal hosts to the internet as if they were actually assigned the external addresses or do you need a more elaborate ruleset e.g. something on the lines of "incoming connections for tcp port 80 on $wanIP_2 goes to $server_1 and tcp port 443 goes to $server_2, but all outgoing traffic of $server_1 will use an external address of $wanIP_3", but I think I can guess the answer ;-). Regards, Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49018EA5.7040607>