[OpenBSD] Problem with pf

cogent · Sep 17, 2015

Code:

ext_if="em0"
int_if="em1"
localnet=$int_if:network
nat on $ext_if from $localnet to any -> ($ext_if)
block all

it gives me a syntax error on line 4

kpa · Sep 17, 2015

Write it like this instead:

Code:

nat on $ext_if inet from ! $ext_if to any -> ($ext_if)

There's no need to restrict the source addresses only to the internal net like you wanted to do, whatever is going out via $ext_if needs to be NAT'ed unless it's sourced directly from the public IP bound on $ext_if. I took the liberty of adding the inet keyword to limit the NAT to IPv4 only.

DutchDaemon · Sep 17, 2015

Or try the more generic

Code:

nat on $ext_if from !self

cogent · Sep 17, 2015

Still syntax error on both, iI'm on ~~openbsd~~OpenBSD 5.7 by the way.

kpa · Sep 17, 2015

In that case your question is offtopic here being FreeBSD forums but I'll show what I have on 5.8 pre-release:

Code:

match out on egress inet from !(egress:network) to any nat-to (egress:0)

OpenBSD moved to newer syntax some time ago and the syntax of FreeBSD PF is no longer compatible.

junovitch@ · Sep 18, 2015

I'd be surprised if man pf.conf doesn't give you the same accurate, OS-specific information, on OpenBSD as it does in FreeBSD's pf.conf(5). That's certainly going to be the go to place to get what you need in the future. I'm going to close the topic as we don't support other operating systems so if you do run into problems please direct them toward the OpenBSD mailing lists.

[OpenBSD] Problem with pf

cogent

kpa

DutchDaemon

Administrator

cogent

kpa

junovitch@