Subject: Re: Setting up NAT and then a firewall...
To: Sam Carleton <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 07/22/2001 14:37:49
In message <3B5B1C08.24F807FC@miltonstreet.com>, Sam Carleton writes:
>Manuel Bouyer wrote:
>> Ha, NO ipfilter rules. ipfilter needs to be enabled for NAT to work.
>> Try 'ipf -E' to test. You may want to create a dummy /etc/ipf.conf with just
>> pass in from any to any and enable ipf in /etc/rc.conf, so that ipf -E will
>> be run at boot.
>This is very interesting. You say that ipfilter needs to be enabled for NAT
>to work. The rest of my ipnat.conf file is working just fine. I have a
>number of computers behind the NetBSD machine and they CALL are able to access
>the Internet thanks to the first three lines of the ipnat.conf file. But all
>the same I took your word for it and created a basic ipf.conf that simply has:
>pass in from any to any
>I set ipfilter=Yes in the /etc/rc.conf and rebooted. When I ssh from the
>outside, I still end up on the NetBSD machine (future firewall). Any more
>thoughts on what I can try?
Have you checked out the IPfilter "howto", at
http://www.obfuscation.org/ipf/ipf-howto.txt? (That link is
on the NetBSD documentation page.) I seem to recall that it gave
some instructions on what to use -- not just
pass in from any to any
but also (I think)
pass out from any to any
--Steve Bellovin, http://www.research.att.com/~smb