Hi all,

I'm trying to configure an OpenBSD 3.3 box as a Firewall/NAT/Gateway.
I've read lots of documentation and configured the machine correctly.
However, I still can't get out of the box.

I've set net.inet.ip.forwarding=1 in /etc/sysctl.conf, created a
pf.conf file from the OpenBSD firewall example. The only exception
here is that I've ommited the rdr entry, the tcp_services and
icmp_types, the I enabled PF in the /etc/rc.conf file as well.

From what I've read and (mis)understood this is all I need to do, am
I right in this assumption? If this is the case can anyone help me
out here?

I'd appreciate your assistance here thanks.

--
Regards,

Wm. G. Urquhart
(s/_//g to reply.)

Wm. G. Urquhart wrote:

> Hi all,
>
> I'm trying to configure an OpenBSD 3.3 box as a Firewall/NAT/Gateway.
> I've read lots of documentation and configured the machine correctly.
> However, I still can't get out of the box.
>
> I've set net.inet.ip.forwarding=1 in /etc/sysctl.conf, created a
> pf.conf file from the OpenBSD firewall example. The only exception
> here is that I've ommited the rdr entry, the tcp_services and
> icmp_types, the I enabled PF in the /etc/rc.conf file as well.
>
> From what I've read and (mis)understood this is all I need to do, am
> I right in this assumption? If this is the case can anyone help me
> out here?
>
> I'd appreciate your assistance here thanks.
>

Switch on logging, and use tcpdump -nettti pflog0. If that doesn't help,
start tcpdump on the normal interfaces to see where you made mistakes.

EJ
--
Remove the obvious part (including the dot) for my email address

erik wrote:
> Wm. G. Urquhart wrote:
>
>
>>Hi all,
>>
>>I'm trying to configure an OpenBSD 3.3 box as a Firewall/NAT/Gateway.
>>I've read lots of documentation and configured the machine correctly.
>>However, I still can't get out of the box.
>>
>>I've set net.inet.ip.forwarding=1 in /etc/sysctl.conf, created a
>>pf.conf file from the OpenBSD firewall example. The only exception
>>here is that I've ommited the rdr entry, the tcp_services and
>>icmp_types, the I enabled PF in the /etc/rc.conf file as well.
>>
>>From what I've read and (mis)understood this is all I need to do, am
>>I right in this assumption? If this is the case can anyone help me
>>out here?
>>
>>I'd appreciate your assistance here thanks.
>>
>
>
> Switch on logging, and use tcpdump -nettti pflog0. If that doesn't help,
> start tcpdump on the normal interfaces to see where you made mistakes.
>
> EJ

Did you reboot after changing /etc/sysctl.conf ? you could also use
sysctl -w net.inet.ip.forwarding=1 to save a reboot.

HTH.

In article <bhldis$n1e$3@otis.netspace.net.au>, Bards wrote:
> erik wrote:
>> Wm. G. Urquhart wrote:
>>
>>
>>>Hi all,
>>>
>>>I'm trying to configure an OpenBSD 3.3 box as a Firewall/NAT/Gateway.
>>>I've read lots of documentation and configured the machine correctly.
>>>However, I still can't get out of the box.
>>>
>>>I've set net.inet.ip.forwarding=1 in /etc/sysctl.conf, created a
>>>pf.conf file from the OpenBSD firewall example. The only exception
>>>here is that I've ommited the rdr entry, the tcp_services and
>>>icmp_types, the I enabled PF in the /etc/rc.conf file as well.
>>>
>>>From what I've read and (mis)understood this is all I need to do, am
>>>I right in this assumption? If this is the case can anyone help me
>>>out here?
>>>
>>>I'd appreciate your assistance here thanks.
>>>
>>
>>
>> Switch on logging, and use tcpdump -nettti pflog0. If that doesn't help,
>> start tcpdump on the normal interfaces to see where you made mistakes.
>>
>
> Did you reboot after changing /etc/sysctl.conf ? you could also use
> sysctl -w net.inet.ip.forwarding=1 to save a reboot.
>

Hi,

Using tcpdump produces a continuous stream of arp requests, speaking of
which. I get this popping up :

blowfish /bsd: arpresolve: can't allocate llinfo

What does this mean? Could this explain why things don't work?

--
Regards,

Wm. G. Urquhart
(s/_//g to reply.)

Wm. G. Urquhart wrote:
> In article <bhldis$n1e$3@otis.netspace.net.au>, Bards wrote:
>
>>erik wrote:
>>
>>>Wm. G. Urquhart wrote:
>>>
>>>
>>>
>>>>Hi all,
>>>>
>>>>I'm trying to configure an OpenBSD 3.3 box as a Firewall/NAT/Gateway.
>>>>I've read lots of documentation and configured the machine correctly.
>>>>However, I still can't get out of the box.
>>>>
>>>>I've set net.inet.ip.forwarding=1 in /etc/sysctl.conf, created a
>>>>pf.conf file from the OpenBSD firewall example. The only exception
>>>>here is that I've ommited the rdr entry, the tcp_services and
>>>>icmp_types, the I enabled PF in the /etc/rc.conf file as well.
>>>>
>>>
>>>>From what I've read and (mis)understood this is all I need to do, am
>>>
>>>>I right in this assumption? If this is the case can anyone help me
>>>>out here?
>>>>
>>>>I'd appreciate your assistance here thanks.
>>>>
>>>
>>>
>>>Switch on logging, and use tcpdump -nettti pflog0. If that doesn't help,
>>>start tcpdump on the normal interfaces to see where you made mistakes.
>>>
>>
>>Did you reboot after changing /etc/sysctl.conf ? you could also use
>>sysctl -w net.inet.ip.forwarding=1 to save a reboot.
>>
>
>
> Hi,
>
> Using tcpdump produces a continuous stream of arp requests, speaking of
> which. I get this popping up :
>
> blowfish /bsd: arpresolve: can't allocate llinfo
>
> What does this mean? Could this explain why things don't work?
>
I'm having the same problem,
I found here it mentions something about setting up a bridge:
http://www.jp.daemonnews.org/200207/transpfobsd.html
I haven't tried it yet, but interesting enough I noticed that the pf
example doesn't have any nat commands, where as the example at
OpenBSD.org does.
Being that I installed OpenBSD for the first time 5 days ago, I'm not
much help beyond this, but you might want to look at that site.
I would be interested also if you this does the trick as I am going to
try this out tomorrow.

Hope this helps:

Anyone reading this I would also be interested in your opinion on the
tutorial mentioned above.

Joe

On Sun, 17 Aug 2003 00:21:09 +0800, @(none).adelphia.net wrote:

> I'm having the same problem,
> I found here it mentions something about setting up a bridge:

not needed. NAT defies bridge.

> http://www.jp.daemonnews.org/200207/transpfobsd.html I haven't tried it
> yet, but interesting enough I noticed that the pf example doesn't have
> any nat commands, where as the example at OpenBSD.org does.

See above. Try the example from OpenBSD. Works flawlessly on 3.3

Uwe

P.S.:Follow the advice in this thread and provide details of your setup
and what you want for further help, if still required.

On Sat, 16 Aug 2003, Wm. G. Urquhart wrote:

> Hi all,
>
> I'm trying to configure an OpenBSD 3.3 box as a Firewall/NAT/Gateway.
> I've read lots of documentation and configured the machine correctly.
> However, I still can't get out of the box.
>
> I've set net.inet.ip.forwarding=1 in /etc/sysctl.conf, created a
> pf.conf file from the OpenBSD firewall example. The only exception
> here is that I've ommited the rdr entry, the tcp_services and
> icmp_types, the I enabled PF in the /etc/rc.conf file as well.
>

I would like to have a look at your pf.conf, can you paste it?


> From what I've read and (mis)understood this is all I need to do, am
> I right in this assumption? If this is the case can anyone help me
> out here?
>
> I'd appreciate your assistance here thanks.
>
> --
> Regards,
>
> Wm. G. Urquhart
> (s/_//g to reply.)
>


--
Johan Berg

"Wm. G. Urquhart"

> Hi all,
>
> I'm trying to configure an OpenBSD 3.3 box as a Firewall/NAT/Gateway.
> I've read lots of documentation and configured the machine correctly.
> However, I still can't get out of the box.
>
> I've set net.inet.ip.forwarding=1 in /etc/sysctl.conf, created a
> pf.conf file from the OpenBSD firewall example. The only exception
> here is that I've ommited the rdr entry, the tcp_services and
> icmp_types, the I enabled PF in the /etc/rc.conf file as well.
>
> From what I've read and (mis)understood this is all I need to do, am
> I right in this assumption? If this is the case can anyone help me
> out here?
>
> I'd appreciate your assistance here thanks.

Since there is not much change you make wrong changements in your
sysctl.conf and rc.conf file, you probably made an mistake in your pf.conf.
Could you post your pf.conf file in here?

p.s. don't forget to reboot or restart your sysctl.

--
Joris Kemperman

Wm. G. Urquhart wrote:

> Hi all,
>
> I'm trying to configure an OpenBSD 3.3 box as a Firewall/NAT/Gateway.
> I've read lots of documentation and configured the machine correctly.
> However, I still can't get out of the box.
>
> I've set net.inet.ip.forwarding=1 in /etc/sysctl.conf, created a
> pf.conf file from the OpenBSD firewall example. The only exception
> here is that I've ommited the rdr entry, the tcp_services and
> icmp_types, the I enabled PF in the /etc/rc.conf file as well.
>
> From what I've read and (mis)understood this is all I need to do, am
> I right in this assumption? If this is the case can anyone help me
> out here?
>
> I'd appreciate your assistance here thanks.
>
http://www.fmi.uni-passau.de/~grafj/...T_und_Firewall
commented in german, but may be understandable and working for you, too.

On Sat, 16 Aug 2003 13:03:06 GMT, "Wm. G. Urquhart"
<wgu@factotum.wurquhart.co.uk> said the following:

>Hi all,

Hello.

>I'm trying to configure an OpenBSD 3.3 box as a Firewall/NAT/Gateway.
>I've read lots of documentation and configured the machine correctly.
>However, I still can't get out of the box.
>
>I've set net.inet.ip.forwarding=1 in /etc/sysctl.conf, created a
>pf.conf file from the OpenBSD firewall example. The only exception
>here is that I've ommited the rdr entry, the tcp_services and
>icmp_types, the I enabled PF in the /etc/rc.conf file as well.

Assuming your system is supposed to be working right now, what is your
output to the following commands:

$ pfctl -s rules
$ pfclt -s nat
$ ifconfig <driver_of_internal_nic>
$ ifconfig <driver_of_external_nic>
$ netstat -rnf inet

You might as well tell me how you are trying to connect to the net.