Solved NAT with pf trouble getting out from internal network

I've got pf.conf set up like this on a NAT box-

Code:
ext_if = "xn0"
scrub in all
nat on $ext_if inet from ! $ext_if to any -> $ext_if
block all
set skip on lo0

pass in log on $ext_if proto tcp from any to self port {22}
pass out log on $ext_if proto tcp to any port { 80, 443}

With this, the NAT itself can be reached via SSH and get out to fetch updates, but it doesn't allow private subnet machines out to fetch updates (via freebsd-update fetch). If I replace the last two lines with-

Code:
pass in all
pass out all

...the private subnet box can then fetch updates just fine. I don't want to leave the NAT firewall totally open, so how can I limit the ports (as I attempted above) while still allowing the private subnet boxes to get updates? On all boxes, I've got the freebsd-update servers listed in /etc/hosts.

Thanks for any help.
 
Where's the traffic coming in? If there's an internal interface connected to the internal network, the 'block all' rule blocks all traffic coming in through that interface.
 
This is on AWS VPC. If I understand correctly, there is an entry in the route table directs the private subnet traffic to the NAT instance. There is only one interface, ext_if.
 
There is only one interface, ext_if.
That's going to pose problems:
Code:
     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for connec-
     tions originating from the outside.  Connections to the address of the
     external interface from local hosts will not be redirected, since such
     packets do not actually pass through the external interface.  Redirec-
     tions cannot reflect packets back through the interface they arrive on,
     they can only be redirected to hosts connected to different interfaces or
     to the firewall itself.
From pf.conf(5)
 
I see, but I'm still a bit confused.. please bear with me- is this along the lines of what I should do:

Code:
ext_if = "xn0"
int_if = "xn1"
lan_net = "10.0.1.0/24"  # private subnet

scrub in all
nat on $ext_if inet from $lan_net to any -> $ext_if
block all
set skip on lo0

pass in log on $int_if proto tcp from $lan_net to any port { 80, 443 }
pass out log on $int_if to $lan_net

pass in log on $ext_if proto tcp from any to self port {22}
pass out log on $ext_if proto tcp to any port { 80, 443}

I'd also want to create a route in EC2 from the private subnet to the $int_if.
 
Last edited:
Back
Top