From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 07:38:41 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E9B016A41F for ; Wed, 20 Jul 2005 07:38:41 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACF9943D49 for ; Wed, 20 Jul 2005 07:38:40 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id B127225249D for ; Wed, 20 Jul 2005 08:38:37 +0100 (BST) From: "Greg Hennessy" To: Date: Wed, 20 Jul 2005 08:38:37 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcWM8IrhFsO4SbVkTIyvTLUEEEvhNQADC3oA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 In-Reply-To: <20050720054644.68432.qmail@web32401.mail.mud.yahoo.com> Message-Id: <20050720073837.AA41F1C@gw2.local.net> Subject: RE: NAT problem with icmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 07:38:41 -0000 > Hi, > Here is simple explanation : > This is my pf.conf > > extif="{ ed0 }" > extip="{ (ed0) }" > table { 192.168.1.0/24 } > nat on $extif from to any -> $extip pass all The syntax for the nat statement above doesn't look right. > I want to ping from my lan stations to a public dns server > like 192.9.9.3 look at my state table: You need to add a pass rule on the inside interface to make it so. At the very least your packet filtering policy should consist of the following in addition to what you have above. ICMP="inet proto icmp" KS="keep state" intif="dc0" . . set block-policy return # # If using CURRENT otherwise use the pass rule below. set skip on lo0 . . . block log all # on 5.x instead of 'set skip' pass on lo0 all keep state # pass in log quick on $intif $ICMP from $intif:network to !$intif:network icmp-type echoreq $KS Make sure you have routing enabled as appropriate. Greg