From owner-freebsd-questions@FreeBSD.ORG Sun Sep 26 13:32:17 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7F5C1065679 for ; Sun, 26 Sep 2010 13:32:17 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 7FB058FC16 for ; Sun, 26 Sep 2010 13:32:17 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1OzrKx-0006NE-3z for freebsd-questions@freebsd.org; Sun, 26 Sep 2010 15:32:15 +0200 Received: from pool-173-79-85-36.washdc.fios.verizon.net ([173.79.85.36]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 26 Sep 2010 15:32:15 +0200 Received: from nightrecon by pool-173-79-85-36.washdc.fios.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 26 Sep 2010 15:32:15 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Michael Powell Followup-To: gmane.os.freebsd.questions Date: Sun, 26 Sep 2010 09:34:46 -0400 Lines: 37 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8Bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: pool-173-79-85-36.washdc.fios.verizon.net Cc: freebsd-hackers@freebsd.org Subject: Re: pf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Sep 2010 13:32:17 -0000 Samuel Martín Moro wrote: > Hello, > > > I'm trying to set up pf on my soon-to-be new gateway (8.1-RELEASE amd64). > I used the sample configuration file available on > calomel > After a few tests, it appears that the gate has fully access to the > internet, but I can't open connections from clients to distant servers > (web, ssh, ...). > Checking pflog log file, I can't see anything about those timeouts, even > if I added the log directive in every block/pass command. > Everything else seems to work, I can talk with my DNS from the internet, > ssh redirections to another pc also seems to works. > I just can't access the Internet from a client of my network... > > For debugging, I commented out the options and the 'block all in/out' > directives. > > Here's my config file http://pastebin.com/Nim2zBCx > > Is there someone understanding what I'm doing wrong? > The firewall ruleset is a trifle overly complex for a quick glance; study and analysis would take some doing. However, if you can reach the internet from the firewall box and other client computers behind your NAT can't (which is what it sounds like you're describing) it may be just that you are missing gateway_enable="YES" in your /etc/rc.conf. Turning this "ON" makes your firewall box into a router. The status of this can be checked with: sysctl net.inet.ip.forwarding - a "0" means no gateway and a "1" means gateway. -Mike