From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 13:48:24 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20E9C16A417 for ; Fri, 16 Nov 2007 13:48:24 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.188]) by mx1.freebsd.org (Postfix) with ESMTP id 9DA3513C45B for ; Fri, 16 Nov 2007 13:48:23 +0000 (UTC) (envelope-from siseci@gmail.com) Received: by fk-out-0910.google.com with SMTP id b27so1111970fka for ; Fri, 16 Nov 2007 05:48:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; bh=08usaUsg953fB4pu74Z5SwUZI40m3gBVpMm9wuWD7nk=; b=LxhG7HEKF1YgYehGym8Wd08Dm8HTNxWF79K9Ofhz6cbnPj/8gWzae+Uj3V9nymxgjWEudZKP1SdXH9Iw7fL7orx2L4J1cniKwhQtgydAwtISeSMHcAmu0kxQkDc1fYwWMYCGQCY5fuFGUrv/hCt8I3ykF8hmWZl31WNw0MT3lvs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=P/eA6WzXccn09HEQpzyZ8C/4SJ8ztpQPzo6idlJEMrMkiQCwCM2SiiRPgL7RQl+45WGb+GF/HNynKMn+tLBOQmi/f2QzS8p8zPSR2+2bfSnAK7IIag162QAiJn7LtxvJrlGAtzm5a6gBlWCut4VFv062CPfp5+4ZXQEo4z3LVY4= Received: by 10.82.174.20 with SMTP id w20mr4105067bue.1195219286775; Fri, 16 Nov 2007 05:21:26 -0800 (PST) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.google.com with ESMTPS id b30sm3567211ika.2007.11.16.05.21.25 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 16 Nov 2007 05:21:26 -0800 (PST) Message-ID: <473D9922.4010207@gmail.com> Date: Fri, 16 Nov 2007 15:20:34 +0200 From: "N. Ersen SISECI" User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: 7bit Cc: Subject: Nat Pass and PF Default Rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 13:48:24 -0000 Hi, I changed PF's default rule in kernel (pf_ioctl.h). And than i restarted my server. After that server started successfully and then internal network (behind the NAT) wasn't access the external network. Rules: pass in log quick all pass out log quick all Nat rule is: nat pass on em0 inet all -> 192.168.1.1 I changed filtering and NAT rules like these. But it's not working. And then i added log line for default rule in pf_ioctl.h pf_default_rule.log = PF_LOG; And then i see the blocking logs on pflog0 with the same rule set. 2007-11-16 15:03:19.291742 rule 4294967295/0(match): block out on em0: .... ICMP ... 192.168.1.1 > 192.168.1.36: ICMP echo request So, I removed the pass option in the nat rule and suddenly started to working. >From the Man page of pf.conf: Packets that match a translation rule are only automatically passed if the /pass/ modifier is given, otherwise they are still subject to /block/ and /pass/ rules. But, i think it's not working as desribed above. Nat's pass option depends the PF's default rule in the kernel. Is there anything i missed or wrong? Thanks. N. Ersen SISECI http://www.enderunix.org EnderUNIX SDT @ Turkey