Bidirectional translation for DNS and WWW servers

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Bidirectional translation for DNS and WWW servers

Bray Mailloux
Misc Users;

I'm having NAT problems; could someone examine my pf file and make some
recommendations?
(Yes, Nat is well documented. I'm not here because of issues with clarity.
Thanks;
Bray.  


PS: My pf.conf file
#Macros

# 192.168.0.1 subnet
ext_ip="64.142.102.8"
int_ip="192.168.0.1"
int_block="192.168.0.0/24"
#DMZ subnet
#Interface
dmz_ip="192.168.1.1"
#DNS 1
scarlett="192.168.1.2"
pub_scarlett="64.142.102.9"
#DNS 2
shelly="192.168.1.3"
pub_shelly="64.142.102.10"
#WWW 1
www_ip="192.168.1.4"
pub_www="64.142.102.11"
#Normalizing
#scrub in all
table <natclients> { $int_ip, !$scarlett, !$shelly, !$www_ip }

#NAT and Binat
nat on rl0 from $int_block to any -> $ext_ip
nat on rl0 from $scarlett to any -> $pub_scarlett
nat on rl0 from $shelly to any -> $pub_shelly
nat on rl0 from $www_ip to any -> $pub_www

#Default block policy
#block all

#Anti-spoofing
#block in quick from urpf-failed

#Traffic passing through
pass in all
#pass out all

#External interfaces
#pass in on rl0 inet proto { tcp, udp } all modulate state
pass out on rl0 proto { tcp, udp, icmp } all modulate state

Reply | Threaded
Open this post in threaded view
|

Re: Bidirectional translation for DNS and WWW servers

Matt Rowley
> I'm having NAT problems; could someone examine my pf file and make some
> recommendations?
> (Yes, Nat is well documented. I'm not here because of issues with clarity.
> Thanks;

Well, for starters, you have three 'nat' statements that you probably meant
to be 'binat' statements.

> #NAT and Binat
> nat on rl0 from $int_block to any -> $ext_ip
> nat on rl0 from $scarlett to any -> $pub_scarlett
> nat on rl0 from $shelly to any -> $pub_shelly
> nat on rl0 from $www_ip to any -> $pub_www

beyond that, you'll have to be more specific as to what your NAT problems
are.

--Matt

Reply | Threaded
Open this post in threaded view
|

Re: Bidirectional translation for DNS and WWW servers

Greg Thomas-3
In reply to this post by Bray Mailloux
On 6/5/07, Bray Mailloux <[hidden email]> wrote:
> Misc Users;
>
> I'm having NAT problems; could someone examine my pf file and make some
> recommendations?
>

This is really incomplete.  What are you trying to accomplish?  What
works and what doesn't?  What are the interfaces for your internal,
dmz, and external networks (e.g. ifconfig output)?

>
> PS: My pf.conf file
> #Macros
>
> # 192.168.0.1 subnet
> ext_ip="64.142.102.8"
> int_ip="192.168.0.1"
> int_block="192.168.0.0/24"
> #DMZ subnet
> #Interface
> dmz_ip="192.168.1.1"
> #DNS 1
> scarlett="192.168.1.2"
> pub_scarlett="64.142.102.9"
> #DNS 2
> shelly="192.168.1.3"
> pub_shelly="64.142.102.10"
> #WWW 1
> www_ip="192.168.1.4"
> pub_www="64.142.102.11"
> #Normalizing
> #scrub in all
> table <natclients> { $int_ip, !$scarlett, !$shelly, !$www_ip }
>
> #NAT and Binat
> nat on rl0 from $int_block to any -> $ext_ip
> nat on rl0 from $scarlett to any -> $pub_scarlett
> nat on rl0 from $shelly to any -> $pub_shelly
> nat on rl0 from $www_ip to any -> $pub_www
>
> #Default block policy
> #block all
>
> #Anti-spoofing
> #block in quick from urpf-failed
>
> #Traffic passing through
> pass in all
> #pass out all
>
> #External interfaces
> #pass in on rl0 inet proto { tcp, udp } all modulate state
> pass out on rl0 proto { tcp, udp, icmp } all modulate state

Reply | Threaded
Open this post in threaded view
|

Bidirectional translation for DNS and WWW servers

Bray Mailloux
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:50:bf:3a:2e:66
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 64.142.102.8 netmask 0xffffff00 broadcast 64.142.102.255
        inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:13:46:30:0b:b2
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::213:46ff:fe30:bb2%rl1 prefixlen 64 scopeid 0x2
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:19:5b:3d:12:12
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::219:5bff:fe3d:1212%vr0 prefixlen 64 scopeid 0x3
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
enc0: flags=0<> mtu 1536

# cat /etc/pf.conf
#Macros

# 192.168.0.1 subnet
ext_ip="64.142.102.8"
int_ip="192.168.0.1"
int_block="192.168.0.0/24"
#DMZ subnet
#Interface
dmz_ip="192.168.1.1"
#DNS 1
scarlett="192.168.1.2"
pub_scarlett="64.142.102.9"
#DNS 2
shelly="192.168.1.3"
pub_shelly="64.142.102.10"
#WWW 1
www_ip="192.168.1.4"
pub_www="64.142.102.11"
#Normalizing
#scrub in all

#NAT and Binat
nat on rl0 from $int_block to any -> $ext_ip
binat on rl0 from $scarlett to any -> $pub_scarlett
binat on rl0 from $shelly to any -> $pub_shelly
binat on rl0 from $www_ip to any -> $pub_www

#Default block policy
#block all

#Anti-spoofing
#block in quick from urpf-failed

#Traffic passing through
pass in all
pass out all

#External interfaces
#pass in on rl0 inet proto { tcp, udp } all modulate state
#pass out on rl0 proto { tcp, udp, icmp } all modulate state

# dmesg
OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
    [hidden email]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 931 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 401108992 (391708K)
avail mem = 357941248 (349552K)
using 4278 buffers containing 20180992 bytes (19708K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 10/14/00, BIOS32 rev. 0 @ 0xfd8a0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd8a0/0x760
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf50/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xa000
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82810E" rev 0x03: rng active, 7Kb/sec
vga1 at pci0 dev 1 function 0 "Intel 82810E Graphics" rev 0x03: aperture at
0xf8000000, size 0x4000000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 "Intel 82801AA Hub-to-PCI" rev 0x02
pci1 at ppb0 bus 1
rl0 at pci1 dev 11 function 0 "Realtek 8139" rev 0x10: irq 5, address
00:50:bf:3a:2e:66
rlphy0 at rl0 phy 0: RTL internal PHY
rl1 at pci1 dev 13 function 0 "D-Link Systems 530TX+" rev 0x10: irq 9,
address 00:13:46:30:0b:b2
rlphy1 at rl1 phy 0: RTL internal PHY
vr0 at pci1 dev 14 function 0 "VIA VT6105 RhineIII" rev 0x86: irq 10,
address 00:19:5b:3d:12:12
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI
0x004063, model 0x0034
ichpcib0 at pci0 dev 31 function 0 "Intel 82801AA LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801AA IDE" rev 0x02: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <WDC WD100EB-11BHF0>
wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <SONY, CD-RW CRX320EE, RYK4> SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 31 function 2 "Intel 82801AA USB" rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
ichiic0 at pci0 dev 31 function 3 "Intel 82801AA SMBus" rev 0x02: irq 9
iic0 at ichiic0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x290/8: IT87
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask fb45 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

No traffic is being blocked for troubleshooting purposes. My NAT is not
working, or the internet for that matter, on my DMZ computers. The DMZ
computers operate under interface rl1, which has ip address 192.168.1.1.  My
DMZ computers are Scarlett, Shelly and WWW with respective private ips of
192.168.1.2, 192.168.1.3, 192.168.1.4; the public ips are 64.142.102.9,
64.142.102.10, 64.142.102.11.

Reply | Threaded
Open this post in threaded view
|

Re: Bidirectional translation for DNS and WWW servers

Matt Rowley
> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        lladdr 00:50:bf:3a:2e:66
>        groups: egress
>        media: Ethernet autoselect (100baseTX full-duplex)
>        status: active
>        inet 64.142.102.8 netmask 0xffffff00 broadcast 64.142.102.255
>        inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1

> binat on rl0 from $scarlett to any -> $pub_scarlett
> binat on rl0 from $shelly to any -> $pub_shelly
> binat on rl0 from $www_ip to any -> $pub_www

the external addresses you're pointing to in your binat statements, you have
them configured as aliases to your external interface (rl0), right?
(one can't tell from ifconfig output unless you run 'ifconfig rl0' explicitly)

--Matt

Reply | Threaded
Open this post in threaded view
|

Re: Bidirectional translation for DNS and WWW servers

Bray Mailloux
Matt Rowley wrote:

>> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>        lladdr 00:50:bf:3a:2e:66
>>        groups: egress
>>        media: Ethernet autoselect (100baseTX full-duplex)
>>        status: active
>>        inet 64.142.102.8 netmask 0xffffff00 broadcast 64.142.102.255
>>        inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1
>>    
>
>  
>> binat on rl0 from $scarlett to any -> $pub_scarlett
>> binat on rl0 from $shelly to any -> $pub_shelly
>> binat on rl0 from $www_ip to any -> $pub_www
>>    
>
> the external addresses you're pointing to in your binat statements, you have
> them configured as aliases to your external interface (rl0), right?
> (one can't tell from ifconfig output unless you run 'ifconfig rl0' explicitly)
>
> --Matt
>
>
>
>  
No, I did not. I removed them in the past for reasons unknown. Thank you
for your help, everyone.

Reply | Threaded
Open this post in threaded view
|

Re: Bidirectional translation for DNS and WWW servers

Stuart Henderson
In reply to this post by Bray Mailloux
On 2007/06/06 14:32, BradenM - Sonoma Computer wrote:
...pretty useful info...

Also useful for any suspected PF problems:

# pfctl -sa
(to check that the ruleset did indeed get loaded, and that PF is
enabled - if you can also have some pings running we'll see how
state tables look too).

# sysctl net.inet.ip.forwarding
(you never know...)

How does traffic from the outside reach this machine? Is whatever
device that's giving it connectivity setup to send traffic for all
the relevant IP addresses to this box?

You should be able to pfctl -d to disable PF and ping each address
from outside. If not there's a more fundamental problem that needs
looking at before examining the PF configuration. Fix then enable
PF again (pfctl -e).

Not relevant to you since you pass all traffic, but other people
are reading this who might not: 'log' on all block rules, reload
PF, and (ifconfig pflog0 up; tcpdump -nettipflog0)