> [email protected] (zje.net.cn), 2016.01.19 (Tue) 03:37 (CET): > > Hi, i'm tesing the NAT with the pf on OpenBSD 5.8, but i can not make it > > successful.There is a server with pf having a internal IP 10.0.11.200 and > > external IP 61.xxx.xx.xx, > > then, i make a pf.conf with contents like below(having enable IP > > forwarding) : > > > > #my define > > int_if = "de1" #10.0.11.200 > > ext_if = "de2" #61.xxx.xx.xx > > int_net = "10.0.11.0/24" > > #my rules > > pass out on $ext_if inet from $int_if:network to any nat-to $ext_if
if those rules are your entire ruleset, forwarding is enabled and all interfaces involved are correctly set up (not forgetting netmasks), this should just work. First, do ~$ sysctl net.inet.ip.forwarding if the response isn't exactly net.inet.ip.forwarding=1 that's at least one of your problems. Next, check that both de1 and de2 are in fact configured and functional (as in, ifconfig output should include at least "UP" and "RUNNING"), check that you can ping the configured address on the gateway itself and from the client, check that netmasks match on both client and gateway, check the client's routing, and of course check that your pf.conf doesn't have one or more 'block' statements you haven't shown us. And as Marcus said earlier, > your lovely dos box image shows that the connection is in SYN state; I > guess your client (10.0.11.19) just gets blocked when entering the > firewall via de1. This means that your client has a route for the target address that it considers valid, however in that state it has yet to receive *anything* back from the intended target address. Going through the steps I outlined in the previous paragraph will tell you why that is so. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
