Real solution for OpenBSD masq firewall w/udp connections

Brian Costello bc at preventsys.com
Mon Sep 8 02:34:51 CEST 2003


Tinc OpenBSD masquerading firewall users:

I just found that in OpenBSD's 3.2 and greater kernel, the packet filter
(pf) added the ability to specify a source port for NATing.  Therefore,
my UDP rig outlined in my last post is not a desirable solution for
OpenBSD users.  I am unsure if Darren Reed's ipf has a similar function
(pf's syntax was originally based on Darren Reed's ipf's syntax)  I need
to learn to review the changes to pf in future OpenBSD updates :)

The NAT syntax is like this (put this in your /etc/pf.conf file)

# Name of the external (Internet-facing) interface
ext_if="fxp0"
# IP address of the local tinc instance
tincloc_ip="10.3.4.5"
# IP address of the remote tinc instance
tincrem_ip="30.40.50.60"

# Nat all UDP packets from the local tinc instance with a source port of
655 
# destined for the tinc remote IP to the IP address of the external
interface
# port 655
nat on $ext_if inet proto udp from $tincloc_ip port = 655 to $tincrem_ip
-> \
	($ext_if) port 655

# <insert "general" NAT rule here like...>
# example:
# nat on $ext_if from 10.3.4.0/24 to any -> ($ext_if)

# <insert rest of NAT rules ...>

# <insert packet filter rules ...>

Note: I had to do a "pfctl -F all -f /etc/pf.conf" (as opposed to pfctl
-F nat -F rules -f /etc/pf.conf) since I had an rdr rule that was
mucking up the state.  You may not have to do that too if you had a NAT
rule that dealt with port 655.


Hope this is useful to somebody.  Guus: this might make a good example
for the "tinc behind a masquerading firewall" page.


bc
Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://tinc.nl.linux.org/




More information about the Tinc mailing list