From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:39:03 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 3009516A4CF; Thu, 16 Sep 2004 03:39:03 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 11222 invoked by uid 1005); 19 May 2003 07:00:46 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 11219 invoked from network); 19 May 2003 07:00:45 -0000 Received: from moutng.kundenserver.de (212.227.126.187) by pd9e39321.dip.t-dialin.net with SMTP; 19 May 2003 07:00:45 -0000 Received: from [212.227.126.210] (helo=mxng14.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19HfZV-0007z4-00 for max@vampire.homelinux.org; Mon, 19 May 2003 10:00:37 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng14.kundenserver.de with esmtp (Exim 3.35 #1) id 19HfZM-0003rK-00 for max@love2party.net; Mon, 19 May 2003 10:00:28 +0200 Received: from turing.(none) (localhost [127.0.0.1])ESMTP id E5FA439099E; Mon, 19 May 2003 02:58:58 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Mon, 19 May 2003 02:58:57 -0500 (EST) Delivered-To: pf4freebsd@freelists.org Received: from ns.kt-is.co.kr (unknown [211.218.149.125]) ESMTP id 04B3F390997 for ; Mon, 19 May 2003 02:58:55 -0500 (EST) Received: from michelle.kt-is.co.kr ([220.76.118.193]) (authenticated bits=0) by ns.kt-is.co.kr (8.12.5/8.12.5) with ESMTP id h4J7v5WC035114 verify=FAIL); Mon, 19 May 2003 16:57:05 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.8/8.12.8) with ESMTP id h4J7xWqR001588 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 May 2003 16:59:32 +0900 (KST) (envelope-from yongari@michelle.kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.8/8.12.8/Submit) id h4J7xTFS001587; Mon, 19 May 2003 16:59:29 +0900 (KST) (envelope-from yongari) From: Pyun YongHyeon To: Ziad Afra Message-ID: <20030519075925.GA1531@kt-is.co.kr> References: <000001c31d94$3cbe0fc0$050410ac@scum> Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000001c31d94$3cbe0fc0$050410ac@scum> User-Agent: Mutt/1.4.1i X-Filter-Version: 1.9 (ns.kt-is.co.kr) Content-Transfer-Encoding: 8bit X-archive-position: 13 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: yongari@kt-is.co.kr Precedence: normal X-list: pf4freebsd X-UID: 65 X-Length: 5694 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:51 +0000 cc: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: PF on FREEBSD 5 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:39:03 -0000 X-Original-Date: Mon, 19 May 2003 16:59:25 +0900 X-List-Received-Date: Thu, 16 Sep 2004 03:39:03 -0000 On Mon, May 19, 2003 at 12:21:39AM +0100, Ziad Afra wrote: > Hello > > My experiences are thus > > NAT does not work at all on my configuration. > > > My rules are set as follows: - > > # macros > ext_if = "fxp0" > int_if = "fxp1" > int_lan = "172.16.4.0/24" > icmp_types = "{ 8, 11 }" > > # options > set block-policy return > set loginterface $ext_if > > # scrub > scrub in all > > # nat/rdr > nat on $ext_if from $int_lan to any -> ($ext_if) > > # filter rules > block all > > pass quick on lo0 all > > block drop in quick on $ext_if from any to any ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > block drop out quick on $ext_if from any to any ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You have completely blocked all packets from this host. Rememer the last matching rule wins!(This is not ipfw.) You should remove quick keyword to continue process remaining rules. > > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > port {22, 80, 53, 113} flags S/SAFR keep state > > pass in inet proto icmp all icmp-type $icmp_types keep state > > pass in on $ext_if from any to $int_if keep state > pass out on $int_if from any to $int_if keep state > pass out on $ext_if from $int_if keep state > Here you may have confused with ipfw style again. Do not keep state on internal network interface if you don't really have to do. This makes rules much harder to maintain. For normal cases for NAT just pass all packets for internal interface. If you need filtering do it on external interface. So above three rules comes to this: pass in quick on $int_if all pass out quick on $int_if all > pass out on $ext_if proto tcp all modulate state flags S/SAFR > pass out on $ext_if proto { udp, icmp } all keep state > > > > When attempting to call out for dns or other external services from my > internal LAN, my internal ip is used for the request i.e. > > Internally 172.16.4.5 calls for nslookup, this address is used on the > external interface to the requested dns server for the call. Simply put > NAT does not seem to be working for my current configuration. > > Regards and hope you can help > > Ziad > > For more detailed information on PF's syntax and configuration, please refer to OpenBSD's excellent FAQ. http://www.openbsd.org/faq/pf/index.html You can find more examples of pf.conf at this URL. https://solarflux.org/pf/ Also there is a mailing list for PF on FreeBSD. You may get more help for FreeBSD specific problems from that list. See http://pf4freebsd.love2party.net/mlist.html For general PF FAQ see http://www.benzedrine.cx/mailinglist.html. Thanks and Good luck. Pyun YongHyeon --