Real solution for OpenBSD masq firewall w/udp connections
Brian Costello
bc at preventsys.com
Mon Sep 8 02:34:51 CEST 2003
Tinc OpenBSD masquerading firewall users:
I just found that in OpenBSD's 3.2 and greater kernel, the packet filter
(pf) added the ability to specify a source port for NATing. Therefore,
my UDP rig outlined in my last post is not a desirable solution for
OpenBSD users. I am unsure if Darren Reed's ipf has a similar function
(pf's syntax was originally based on Darren Reed's ipf's syntax) I need
to learn to review the changes to pf in future OpenBSD updates :)
The NAT syntax is like this (put this in your /etc/pf.conf file)
# Name of the external (Internet-facing) interface
ext_if="fxp0"
# IP address of the local tinc instance
tincloc_ip="10.3.4.5"
# IP address of the remote tinc instance
tincrem_ip="30.40.50.60"
# Nat all UDP packets from the local tinc instance with a source port of
655
# destined for the tinc remote IP to the IP address of the external
interface
# port 655
nat on $ext_if inet proto udp from $tincloc_ip port = 655 to $tincrem_ip
-> \
($ext_if) port 655
# <insert "general" NAT rule here like...>
# example:
# nat on $ext_if from 10.3.4.0/24 to any -> ($ext_if)
# <insert rest of NAT rules ...>
# <insert packet filter rules ...>
Note: I had to do a "pfctl -F all -f /etc/pf.conf" (as opposed to pfctl
-F nat -F rules -f /etc/pf.conf) since I had an rdr rule that was
mucking up the state. You may not have to do that too if you had a NAT
rule that dealt with port 655.
Hope this is useful to somebody. Guus: this might make a good example
for the "tinc behind a masquerading firewall" page.
bc
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/
More information about the Tinc
mailing list