Re: pf + binat

To:	Rafael Coninck Teigao <rafael@SafeCore.NET>
Subject:	Re: pf + binat
From:	Daniel Hartmeier <daniel@benzedrine.cx>
Date:	Thu, 28 Feb 2002 19:04:59 +0100
Cc:	OpenBSD Misc <misc@openbsd.org>
In-reply-to:	<3C7E6A09.545BF4E1@SafeCore.NET>; from rafael@SafeCore.NET on Thu, Feb 28, 2002 at 02:34:01PM -0300
References:	<3C7E6A09.545BF4E1@SafeCore.NET>
Sender:	owner-misc@openbsd.org
User-agent:	Mutt/1.2.5.1i

On Thu, Feb 28, 2002 at 02:34:01PM -0300, Rafael Coninck Teigao wrote:

> binat on ne3 from 10.0.0.139 to any -> 192.168.1.1
> 
>     Where ne3 is the iface that has the address 192.168.1.1 and
> 10.0.0.139 is assigned to my rl0 iface. Machine connected to ne3 can
> ping (and even connect to) 10.0.0.139, but they can't get to do anything
> to 10.0.0.138.

binat translates source addresses for outgoing packets, and destination
addresses for incoming packets, on the interface specified in the binat
rule.

Your rule translates source address 10.0.0.139 to 192.168.1.1 for
packets going out on ne3, and destination address 192.168.1.1 to
10.0.0.139 for packets coming in on ne3.

Other addresses, like 10.0.0.138, are never translated. I think you're
using binat where you should rather use two nat rules (or no translation
at all, if the hosts use the firewall as gateway to the other networks).

Daniel

<Prev in Thread]	Current Thread	[Next in Thread>
pf + binat, Rafael Coninck Teigao Re: pf + binat, Daniel Hartmeier <=

Previous by Date:	pf + binat, Rafael Coninck Teigao
Next by Date:	Re: Turning on pf logging after switching from ipf., Shawn Wilton
Previous by Thread:	pf + binat, Rafael Coninck Teigao
Next by Thread:	C Compiler, Dennis Myhand
Indexes:	[Date] [Thread] [Top] [All Lists]