Date: Fri, 5 Feb 2010 22:48:12 +0000 (UTC) From: Ludovico Cavedon <ludovico.cavedon@gmail.com> To: freebsd-questions@freebsd.org Subject: allow-opts on a nat pass rule Message-ID: <loom.20100205T234657-208@post.gmane.org>
next in thread | raw e-mail | index | archive | help
Hi all, I have a freebsd 7.2-RELEASE-p2 firewall with a configuration like this: #### BEGIN ### ext_if4="em0" # public interface int_if="em1" # private interface, to be source NATted nat pass log (to pflog2) on $ext_if4 inet from $int_if:network to ! ($ext_if4) -> ($ext_if4) block drop log # logs to pflog0 pass quick log (to pflog1) on $int_if allow-opts # private network pass out from ($ext_if4) allow-opts modulate state # public network #### END ### If I send a packet to a public host from an private one, everything is fine, the packet arrives at the destination, and is logged by pflog1 and pflog2. If this packet, however, contains an IP option (e.g. NOP), the packets if blocked by the firewall, and logged by pflog1 and pflog0. Looks like it is not possible to specify "allow-opts" for the "nat pass" rules. Is there any way I can get packets with IP options to be NATted? Thank you in advance, Ludovico
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?loom.20100205T234657-208>