openbsd做NAT死活不通，救命啊

ioerr

回复 20# congli


    版主给他们邮件列表问下吧。我不会用

ioerr

关于1楼蓝色规则不通原因可能如下：

pf FAQ中有如下一段：
Translation Rule Exceptions

If you need to translate most traffic, but provide exceptions in some cases, make sure that the exceptions
are handled by a filter rule which does not include the nat-to parameter. For example, if the NAT
example above was modified to look like this:

pass out on tl0 from 192.168.1.0/24 to any nat-to
24.2.74.79
pass out on tl0 from 192.168.1.208 to any

Then the entire 192.168.1.0/24 network would have its packets translated to the external address
24.2.74.79 except for 192.168.1.208.

因此1楼蓝色规则中，后面的那条pass all符合这个说法，所以不通！！！

ioerr

做nat后，如果想排除某些ip，后面跟一条pass out on $ext_if from yourIP to any,或者更宽泛的pass out规则，要包含前面的那个。详细的我还没试，感觉还不如原来的方便。

congli

1. 
   
2. ext_if = "em1"
   
3. int_if = "em0"
   
4. lo_if  = "lo0"
   
5. 
   
6. pass quick on $lo_if all
   
7. pass quick on $int_if all keep state
   
8. 
   
9. pass out on $ext_if from 192.168.2.0/24 to any nat-to $ext_if
   
10. #block all
    
11. pass all
    

复制代码

刚才试了一下,都是不通,看来这pass all不能随便用,得看上下文,否则实际效果跟想的有的出入.

ioerr

如果不想受pass all 的影响，前面加上quick即可。刚测试过，大家可以再试试看。

ioerr

pass out quick on $ext_if from 192.168.2.0/24 to any nat-to $ext_if
block all

这个也不通，我真晕啊。按说加了quick就ok了，不通！看faq去

ioiioi

回复 16# congli


    嗯，nat问题也把我搞死了，根据版主的这种做法，我终于配通了nat，但是跟pf faq有很大差异，难道openbsd4.8的文档质量下降了？

This would lead to a most basic form of these lines similar to this:

    match out on tl0 from 192.168.1.0/24 to any nat-to 24.5.0.5
    pass on tl0 from 192.168.1.0/24 to any

or you may simply use

    pass out on tl0 from 192.168.1.0/24 to any nat-to 24.5.0.5

This rule says to perform NAT on the tl0 interface for any packets coming from 192.168.1.0/24 and to replace the source IP address with 24.5.0.5.

ioiioi

match out on $ext_if from !($ext_if) to any nat-to ($ext_if)
   
block all
pass out on $ext_if all
pass in on $lan_if to port blah blah
pass in on $dmz_if to port blah blah
pass quick inet from $lan_net to $dmz_net blah blah
pass quick inet from $dmz_net to $lan_net blah blah

因为4.8的nat中必须要pass out on tl0 all，相当于允许openbsd的外网卡可以访问外面所有的服务，因此在入方向需要做限制。

guoruimin

实在不行，换linux！
性能高，驱动全。

congli

Linux也不行! 换M$?