Re: Hiding NATs with PF
From: Max Bolingbroke (batterseapower_at_hotmail.com)
Date: 09/29/05
- Next message: jpd: "Re: Hiding NATs with PF"
- Previous message: Greg Hennessy: "Re: Hiding NATs with PF"
- In reply to: Simon Farnsworth: "Re: Hiding NATs with PF"
- Next in thread: Simon Farnsworth: "Re: Hiding NATs with PF"
- Reply: Simon Farnsworth: "Re: Hiding NATs with PF"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 29 Sep 2005 02:51:36 -0700
Simon Farnsworth wrote:
> You need a block rule to get PF to avoid it. Given a table <private> with
> all RFC 1918 addresses in it:
>
> block quick on $ext_if from <private> to any
Thats a great help. However, at the moment I am testing the NAT by
having it nested within another NAT, so enabling this rule would block
the external interface from sending/recieving any packets since it
itself has an address in the 192.168.1.x range. I remedied this by
using a rule like:
block drop out quick on $ext_if from 192.168.2.0/24 to any
Where the NATed network managed by OpenBSD has addresses in the range
192.168.2.x. This should be OK, right?
> This stops your machine sourcing private addresses, and "all" you need to do
> is make sure that the cables *never* get swapped; if your internal
> interface is connected to the campus network, you run the risk of big
> trouble.
Mmm.. poisoning routing information would be the least of my worries
given that I'd be handing out dhcp leases to all and sundry.
Thanks for your help,
Max
- Next message: jpd: "Re: Hiding NATs with PF"
- Previous message: Greg Hennessy: "Re: Hiding NATs with PF"
- In reply to: Simon Farnsworth: "Re: Hiding NATs with PF"
- Next in thread: Simon Farnsworth: "Re: Hiding NATs with PF"
- Reply: Simon Farnsworth: "Re: Hiding NATs with PF"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
