NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: problem with interfaces



What I am trying to do is to create an internal virtual network 10.0.0.0/24 of virtual netbsd pcs, with one of them acting as gateway. I configured npf on this gateway, but rules, as explained in the net (http://www.netbsd.org/~rmind/npf/#_introduction) have changed compared to rules as explained in the npf.conf man page. I use map in the npe firewall to get any 10.0.0.x outgoing packet converted to 192.168.100.9 (the ip of the external interface in the netbsd gateway), the problem is with the rules, if I declare rules like this (see below), all works, and I can for instance telnet my real network mail server on port 25 either from the gateway or any other netbsd in the virtual lan:

# allow any internal trafic
group (name "internal" interface $int_if) {
  pass all
}

group (name "in" interface $int_if, in) {
  pass all
}


group (name "out" interface $int_if, out) {
  pass all
}

group (default) {
  block all
}

but of course, the idea is to limit the trafic to and from the ouside world, so I try to put something (just a test) like:

pass statefull final proto tcp from 10.0.0.2 to any port 25

in the "out" group but it does not work. I even used any to any port 25 but nothing short of pass all seems to work. How would a rule to let my internat postfix server reach an external mail server look like? How can I activate logging on npf? I have some experience with openbsd's pf, but npf not only uses a different dev log device, it needs a new kernel module, I think.
thanks



Home | Main Index | Thread Index | Old Index